Slashdot Mirror

An anonymous reader writes: Karspesky security researcher Sergey Golovanov writes about recent cybertheft incidents involving hardware backdoors planted by criminals. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks, which caused damage estimated in the tens of millions of dollars. Hardware backdoors are cheap and immune to antivirus. A firmware modified OpenWrt based router can provide covert remote access, painless packet captures, and secure VPN connections with the flip of a switch. Will a flashlight and a ladder be common tools of computer security someday? After the cybercriminals entered a organization's building, connected a device to the local network and scanned the local network seeking to gain access to the resources, they proceeded to stage three. "Here they logged into the target system and used remote access software to retain access," writes Golovanov. "Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks (PDF) and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely."

An anonymous reader quotes Motherboard: On Friday, a group of hackers targeted computer infrastructure in Russia and Iran, impacting internet service providers, data centres, and in turn some websites. "We were tired of attacks from government-backed hackers on the United States and other countries," someone in control of an email address left in the note told Motherboard Saturday... "We simply wanted to send a message...." In addition to disabling the equipment, the hackers left a note on affected machines, according to screenshots and photographs shared on social media: "Don't mess with our elections," along with an image of an American flag...

In a blog post Friday, cybersecurity firm Kaspersky said the attack was exploiting a vulnerability in a piece of software called Cisco Smart Install Client. Using computer search engine Shodan, Talos (which is part of Cisco) said in its own blog post on Thursday it found 168,000 systems potentially exposed by the software. Talos also wrote it observed hackers exploiting the vulnerability to target critical infrastructure, and that some of the attacks are believed to be from nation-state actors...

Reuters reported that Iran's IT Minister Mohammad Javad Azari-Jahromi said the attack mainly impacted Europe, India, and the U.S.... The hackers said they did scan many countries for the vulnerable systems, including the U.K., U.S., and Canada, but only "attacked" Russia and Iran, perhaps referring to the post of an American flag and their message. They claimed to have fixed the Cisco issue on exposed devices in the US and UK "to prevent further attacks... As a result of our efforts, there are almost no vulnerable devices left in many major countries," they claimed in an email.
Their image of the American flag was a black-and-white drawing done with ASCII art.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."

In October, Kaspersky Labs was sued by a "do-nothing patent holder in East Texas who demanded a cash settlement before it would go away," reports Ars Technica. Today, founder and CEO Eugene Kaspersky said his company has defeated five patent assertion entities, including the infamous claims from Lodsys, "a much-maligned patent holder that sent demand letters to small app developers." The patent-licensing company who sued Kaspersky Labs in October was not only defeated, but they ended up paying Kaspersky $5,000 to end the litigation. From the report: The patent-licensing company, Wetro Lan LLC, owned U.S. Patent No. 6,795,918, which essentially claimed an Internet firewall. The patent was filed in 2000 despite the fact that computer network firewalls date to the 1980s. The '918 patent was used in what the Electronic Frontier Foundation called an "outrageous trolling campaign," in which dozens of companies were sued out of Wetro Lan's "headquarters," a Plano office suite that it shared with several other firms that engage in what is pejoratively called "patent-trolling." Wetro Lan's complaints argued that a vast array of Internet routers and switches infringed its patent. Most companies sued by Wetro Lan apparently reached settlements within a short time, a likely indicator of low-value settlement demands. Not a single one of the cases even reached the claim construction phase. But Kaspersky wouldn't pay up. As claim construction approached, Kaspersky's lead lawyer Casey Kniser served discovery requests for Wetro Lan's other license agreements. He suspected the amounts were low. Wetro Lan's settlement demands kept dropping, down from its initial "amicable" demand of $60,000. Eventually, the demands reached $10,000 -- an amount that's extremely low in the world of patent litigation. Kniser tried to explain that it didn't matter how far the company dropped the demand. "Kaspersky won't pay these people even if it's a nickel," he said. Then Kniser took a new tack. "We said, actually, $10,000 is fine," said Kniser. "Why don't you pay us $10,000?" After some back-and-forth, Wetro Lan's lawyer agreed to pay Kaspersky $5,000 to end the litigation. Papers were filed Monday, and both sides have dropped their claims.

Even though you would assume that people would know better, an anonymous reader writes, in my experience, I have found many who think installing more than one antivirus program on their computer is the right way to go about it. Some have installed as many as three third-party security suites, which among other things, takes a toll on the performance. This week the New York Times' tech tip section addresses the matter. From the article, which could be paywalled, but you don't have to read it in entirety anyway: Installing more than one program to constantly scan and monitor your PC for viruses and other security threats can create problems, because the two applications will likely interfere with each other's work. Clashing antivirus programs can cause the computer to behave erratically and run more slowly as the applications battle for system resources. Microsoft advises against running its Windows Defender security software on the same system with another installed third-party antivirus program. Likewise, antivirus software companies also warn against using other system security products when you are using theirs; Bitdefender, Kaspersky Lab and Symantec all have articles on their sites explaining the potential problems in detail. Programs that do not constantly patrol your operating system, like mail scanners, may not be an issue. What do you folks recommend to people who are not as tech-savvy?

An anonymous reader quotes a report from Bloomberg: Internal company emails obtained by Bloomberg Businessweek show that Kaspersky Lab has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency's behest and worked on joint projects the CEO knew would be embarrassing if made public. The previously unreported emails, from October 2009, are from a thread between Eugene Kaspersky and senior staff. In Russian, Kaspersky outlines a project undertaken in secret a year earlier "per a big request on the Lubyanka side," a reference to the FSB offices. Kaspersky Lab confirmed the emails are authentic.

The software that the CEO was referring to had the stated purpose of protecting clients, including the Russian government, from distributed denial-of-service (DDoS) attacks, but its scope went further. Kaspersky Lab would also cooperate with internet hosting companies to locate bad actors and block their attacks, while assisting with "active countermeasures," a capability so sensitive that Kaspersky advised his staff to keep it secret. In this case, Kaspersky may have been referring to something even more rare in the security world. A person familiar with the company's anti-DDoS system says it's made up of two parts. The first consists of traditional defensive techniques, including rerouting malicious traffic to servers that can harmlessly absorb it. The second part is more unusual: Kaspersky provides the FSB with real-time intelligence on the hackers' location and sends experts to accompany the FSB and Russian police when they conduct raids. That's what Kaspersky was referring to in the emails, says the person familiar with the system. They weren't just hacking the hackers; they were banging down the doors. Kaspersky Lab has issued a statement in response to Bloomberg's report. It reads in part: "Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime. In the internal communications referenced within the recent article, the facts are once again either being misinterpreted or manipulated to fit the agenda of certain individuals desperately wanting there to be inappropriate ties between the company, its CEO and the Russian government, but no matter what communication they claim to have, the facts clearly remain there is no evidence because no such inappropriate ties exist."

Samsung has been working on its Tizen operating system for several years now, implementing it into its various televisions and smartwatches. According to a report from Motherboard, the OS isn't receiving a lot of praise in the security department. Israeli researcher Amihai Neiderman has found 40 unknown zero-day vulnerabilities in Tizen, adding that it may be the worst code he's ever seen. From the report: "It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software." All of the vulnerabilities would allow hackers to take control of a Samsung device from afar, in what's called remote-code execution. But one security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app -- Samsung's version of Google Play Store -- which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV. Because the TizenStore software operates with the highest privileges you can get on a device, it's the Holy Grail for a hacker who can abuse it. Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device, Neiderman found a heap-overflow vulnerability that gave him control before that authentication function kicked in. Although researchers have uncovered problems with other Samsung devices in the past, Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.

Kaspersky Lab surveyed 16,750 people and concluded that often negative experiences on social experience overpower their positive effects -- and they're doing something about it. JustAnotherOldGuy pointed us to their latest announcement. 59% have felt unhappy when they have seen friends' posts from a party they were not invited to, and 45% revealed that their friends' happy holiday pictures have had a negative influence on them. Furthermore, 37% also admitted that looking at past happy posts of their own can leave them with the feeling that their own past was better than their present life. Previous research has also demonstrated peoples' frustration with social media as 78% admitted that they have considered leaving social networks altogether. The only thing that makes people stay on social media is the fear of losing their digital memories, such as photos, and contacts with their friends.

To help people decide more freely if they want to stay in social media or leave without losing their digital memories, Kaspersky Lab is developing a new app -- FFForget will allow people to back up all of their memories from the social networks they use and keep them in a safe, encrypted memory container and will give people the freedom to leave any network whenever they want, without losing what belongs to them -- their digital lives.
The FFForget app will be released in 2017, but there's already a web page where you can sign up for early access. Kaspersky plans to monetize this by creating both a free version of the app -- limited to one social network -- and a $1.99-per-month version which automatically backs up social content from Facebook, Google, Twitter, and Instagram in real-time with a fancier interface and more powerful encryption.

Kaspersky Lab surveyed 16,750 people and concluded that often negative experiences on social experience overpower their positive effects -- and they're doing something about it. JustAnotherOldGuy pointed us to their latest announcement. 59% have felt unhappy when they have seen friends' posts from a party they were not invited to, and 45% revealed that their friends' happy holiday pictures have had a negative influence on them. Furthermore, 37% also admitted that looking at past happy posts of their own can leave them with the feeling that their own past was better than their present life. Previous research has also demonstrated peoples' frustration with social media as 78% admitted that they have considered leaving social networks altogether. The only thing that makes people stay on social media is the fear of losing their digital memories, such as photos, and contacts with their friends.

To help people decide more freely if they want to stay in social media or leave without losing their digital memories, Kaspersky Lab is developing a new app -- FFForget will allow people to back up all of their memories from the social networks they use and keep them in a safe, encrypted memory container and will give people the freedom to leave any network whenever they want, without losing what belongs to them -- their digital lives.
The FFForget app will be released in 2017, but there's already a web page where you can sign up for early access. Kaspersky plans to monetize this by creating both a free version of the app -- limited to one social network -- and a $1.99-per-month version which automatically backs up social content from Facebook, Google, Twitter, and Instagram in real-time with a fancier interface and more powerful encryption.

Kaspersky Lab surveyed 16,750 people and concluded that often negative experiences on social experience overpower their positive effects -- and they're doing something about it. JustAnotherOldGuy pointed us to their latest announcement. 59% have felt unhappy when they have seen friends' posts from a party they were not invited to, and 45% revealed that their friends' happy holiday pictures have had a negative influence on them. Furthermore, 37% also admitted that looking at past happy posts of their own can leave them with the feeling that their own past was better than their present life. Previous research has also demonstrated peoples' frustration with social media as 78% admitted that they have considered leaving social networks altogether. The only thing that makes people stay on social media is the fear of losing their digital memories, such as photos, and contacts with their friends.

To help people decide more freely if they want to stay in social media or leave without losing their digital memories, Kaspersky Lab is developing a new app -- FFForget will allow people to back up all of their memories from the social networks they use and keep them in a safe, encrypted memory container and will give people the freedom to leave any network whenever they want, without losing what belongs to them -- their digital lives.
The FFForget app will be released in 2017, but there's already a web page where you can sign up for early access. Kaspersky plans to monetize this by creating both a free version of the app -- limited to one social network -- and a $1.99-per-month version which automatically backs up social content from Facebook, Google, Twitter, and Instagram in real-time with a fancier interface and more powerful encryption.

Kaspersky Lab surveyed 16,750 people and concluded that often negative experiences on social experience overpower their positive effects -- and they're doing something about it. JustAnotherOldGuy pointed us to their latest announcement. 59% have felt unhappy when they have seen friends' posts from a party they were not invited to, and 45% revealed that their friends' happy holiday pictures have had a negative influence on them. Furthermore, 37% also admitted that looking at past happy posts of their own can leave them with the feeling that their own past was better than their present life. Previous research has also demonstrated peoples' frustration with social media as 78% admitted that they have considered leaving social networks altogether. The only thing that makes people stay on social media is the fear of losing their digital memories, such as photos, and contacts with their friends.

To help people decide more freely if they want to stay in social media or leave without losing their digital memories, Kaspersky Lab is developing a new app -- FFForget will allow people to back up all of their memories from the social networks they use and keep them in a safe, encrypted memory container and will give people the freedom to leave any network whenever they want, without losing what belongs to them -- their digital lives.
The FFForget app will be released in 2017, but there's already a web page where you can sign up for early access. Kaspersky plans to monetize this by creating both a free version of the app -- limited to one social network -- and a $1.99-per-month version which automatically backs up social content from Facebook, Google, Twitter, and Instagram in real-time with a fancier interface and more powerful encryption.

An anonymous reader quotes a report from BleepingComputer: Russian authorities arrested Ruslan Stoyanov, one of Kaspersky Lab's top-ranked security researchers, under article 275 of the Russian criminal code, which refers to treason. According to Russian newspaper Kommersant, who broke the story today, Stoyanov was arrested in December, together with the head of the Russian Secret Service (FSB) information security department Sergei Mikhailov. In a statement released today by Kaspersky Lab, the company says that Stoyanov was arrested based on activities he partook in before joining the company. Details regarding the investigation are murky, but according to the Russian newspaper who quotes anonymous sources, Stoyanov was involved in facilitating the transfer of funds from foreign companies to Mikhailov's accounts. According to Stoyanov's LinkedIn account, before serving as Head of the Computer Incidents Investigation Team at Kaspersky, he worked as Deputy Director for a company called Indrik, but also as a Major in the Ministry of Interior's Cyber Crime Unit.

An anonymous reader quotes a report from Fossbytes: Kaspersky Lab, a Russian cybersecurity and antivirus company, has announced their new operating system which was in development for the last 14 years. Dubbed as Kaspersky OS, it has made its debut on a Kraftway Layer 3 Switch. Not many details have been revealed by the CEO Eugene Kaspersky in his blog post. The GUI-less OS -- as it appears in the image -- has been designed from scratch and Eugene said it doesn't have "even the slightest smell of Linux." He actually tagged "Kaspersky OS being non-Linux" as one of the three main distinctive features he mentioned. The other two features he briefly described are rather fascinating. The first feature is that the Kaspersky OS is based on microkernel architecture, which basically means using the minimum amount of ingredients to bake your own operating system. The OS can be custom-designed as per requirements by using different modification blocks. The second distinctive feature is the inbuilt security system which can control application behavior and OS modules. It touts Kaspersky OS as practically unhackable, unless a cyber-baddie has a quantum computer -- which will be required to crack the digital signature of the platform -- at his disposal.

An anonymous reader quotes a report from Fossbytes: Kaspersky Lab, a Russian cybersecurity and antivirus company, has announced their new operating system which was in development for the last 14 years. Dubbed as Kaspersky OS, it has made its debut on a Kraftway Layer 3 Switch. Not many details have been revealed by the CEO Eugene Kaspersky in his blog post. The GUI-less OS -- as it appears in the image -- has been designed from scratch and Eugene said it doesn't have "even the slightest smell of Linux." He actually tagged "Kaspersky OS being non-Linux" as one of the three main distinctive features he mentioned. The other two features he briefly described are rather fascinating. The first feature is that the Kaspersky OS is based on microkernel architecture, which basically means using the minimum amount of ingredients to bake your own operating system. The OS can be custom-designed as per requirements by using different modification blocks. The second distinctive feature is the inbuilt security system which can control application behavior and OS modules. It touts Kaspersky OS as practically unhackable, unless a cyber-baddie has a quantum computer -- which will be required to crack the digital signature of the platform -- at his disposal.

Russian antivirus vendor Kaspersky Lab has asked antitrust regulators in various countries (including the European Union and Russia) to make Microsoft stop giving an unfair advantage to Windows Defender, Eugene Kasperky wrote in a blog post. From a report on Myce: Microsoft is making it hard for independent anti-virus vendors to compete with Windows Defender, Microsoft's own antivirus application built-in to Windows 8 and Windows 10, according to founder of Kaspersky Lab, Eugene Kaspersky. For example, when users upgraded to Windows 10, their own antivirus product was disabled and Windows Defender was enabled by default. Another showcase of Microsoft's way of making it harder to compete is that antivirus companies only received a week to make their antivirus software compatible with Windows 10. And even when the antivirus software was compatible, Windows Defender would be enabled nevertheless.You can read Eugene's blog post here.

An anonymous reader writes: Over 500,000 people have downloaded an Android app called "Guide for Pokemon Go" that roots the devices in order to deliver ads and installs apps without the user's knowledge. Researchers that analyzed the malware said it contained multiple defenses that made reverse-engineering very difficult -- some of the most advanced they've seen -- which explains why it managed to fool Google's security scanner and end up on the official Play Store. The exploits contained in the app's rooting functions were able to root any Android released between 2012 and 2015. The trojan found inside the app was also found in nine other apps, affecting another 100,000 users. The crook behind this trojan was obviously riding various popularity waves, packing his malware in clones for whatever app or game is popular at one particular point in time.

An anonymous reader writes:Whoever said crime doesn't pay didn't know about the booming ransomware market. A case in point, the latest version of the scourge known as CryptXXX, which raked in more than $45,000 in less than three weeks. Over the past few months, CryptXXX developers have gone back and forth with security researchers. The whitehats from Kaspersky Lab provided a free tool that allowed victims to decrypt their precious data without paying the ransom, which typically reaches $500 or more. Then, CryptXXX developers would tweak their code to defeat the get-out-of-jail decryptor. The researchers would regain the upper hand by exploiting another weakness and so on. Earlier this month, the developers released a new CryptXXX variant that to date still has no decryptor available. Between June 4 and June 21, according to a blog post published Monday by security firm SentinelOne, the Bitcoin address associated with the new version had received 70 bitcoins, which at current prices is valued at around $45,228. The figure doesn't include revenue generated from previous campaigns.

An anonymous reader shares a PCWorld article: Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free. Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins. It also steals bitcoins from local wallets, a double hit to victims, because it then asks for the equivalent of $500 in bitcoins in order to decrypt their files. [...] Researchers from antivirus firm Kaspersky Lab recently updated their ransomware decryption toolto add support for CryptXXX affected files. The attack code exploits vulnerabilities in older versions of applications such as Flash, Java, Internet Explorer, and Silverlight. At this point, it isn't clear exactly how many users are affected.

An anonymous reader writes: During the past years, malware aimed at stealing game inventory items from Steam accounts and logging Steam login credentials has become extremely sophisticated, but [has] remained at a lower-tier pricing range on underground hacking forums, rarely going above $10, never over $30. Valve says that it receives 77,000 complaints a month for hacked accounts, and Steam Stealers are responsible for most of them. [The] most targeted game is Counter-Strike: Global Offensive, while Kaspersky Lab says that most of the cyber-gangs behind these malware families are of Eastern European origin, mostly Russian.

An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only $5,000 on underground hacking forums. Taking advantage of his new found glory, the coder behind that malware has now released a second version, three times the price of the first, complete with 3 exploits that can guarantee root access on older versions of Android (which are plenty thanks to [ignorant] OEMs and carriers). Some of the malware that originated from GM Bot includes: SimpleLocker (first crypto-ransomware for Android), AceCard (considered the most sophisticated Android malware to date), Bankosy and SlemBunk (banking trojan and backdoor), and Mazar Bot (banking trojan, backdoor and ransomware). To make things worse, GM Bot v1's source code also got leaked online, making it available to any halfwit developer that wants a crack at a cybercrime career.

mask.of.sanity writes: Researchers tasked with revealing malware attack campaigns are being harassed, locked out of tenders, and in some cases deported. The retaliation by the unnamed spy agencies is in direct response to the popular published advanced-persistent threat campaigns that have coloured information security reporting over recent years. More details from researcher Juan Andrés Guerrero-Saade are available in a paper (pdf).

An anonymous reader writes: Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars. The criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.

Bennett Haselton writes: "I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not." Read on for the rest of Bennett's thoughts.

In 2007 I wrote:

It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead?

Well, I still believe that part's true. You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope. It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash — but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000. You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference. If Microsoft did offer a $1,000 prize program, it's virtually certain that someone would come forward with a qualifying exploit (and if nobody did, then the program would be moot anyway) — so both scenarios simply describe a choice between $1,000 and finding a new security vulnerability.

But I would argue that there are certain assumptions under which it would make sense not to offer a cash prize program — and, in keeping with my claim that this is equivalent to the envelope-choice problem, under those assumptions it actually would make sense for Microsoft to turn down the envelope containing the vulnerability, and take the cash instead. (When I say it would "make sense", I mean both from a profit-motive standpoint, and for the purposes of protecting the security of their users' computers.)

On Monday night I saw a presentation put on by Seattle's Pacific Science Center "Science Cafe" program, in which Professor Tadayoshi Kohno described how he and his team were able to defeat the security protocols of a car's embedded computer system by finding and exploiting a buffer overflow. That's scary enough, but it was more interesting how his description of the task made it sound like a foregone conclusion that they would find one — you simply sink this many person-hours into the task of looking for a buffer overflow, and eventually you'll find one that can enable a complete takeover of the car. (He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)

More generally, I think it's reasonable to assume that for a given product, there is a certain threshold amount of money/effort/person-hours such that if you throw that much effort at finding a new security vulnerability, you will always find a new one. Suppose you call this the "infinite bug threshold." Obviously the amount of vulnerabilities is not really infinite — you can only do finitely many things to a product in a finite amount of time, after all — but suppose it's so close to infinite as to make no difference, because the manufacturer would never be able to fix all the vulnerabilities that could be found for that amount of effort. I'm sure that $10 million worth of effort, paid to the right people, will always find you a new security vulnerability in the Apache web server; the same is probably true for some dollar number much lower than that, and you could call that the "infinite bug threshold". On the other hand, by definition of that threshold, that means that the amount of vulnerabilities that can be found for any amount of money below that, will be finite and manageable.

(I'm hand-waving over some details here, such as the disputes over whether two different bugs are really considered "distinct," or the fact that once you've found one vulnerability, the cost of finding other closely related vulnerabilities in the same area of the product, often goes way down. But I don't think these complications negate the argument.)

Meanwhile, you have the black-market value of a given type of vulnerability in a given product. This may be the value that you could actually sell it for on the black market, or it may be the maximum amount of effort that a cyber-criminal would invest in finding a new vulnerability. If a cyber-criminal will only start looking for a particular type of vulnerability if they estimate they can find one for less than $50,000 worth of effort, then $50,000 is how much that type of vulnerability is worth to them.

Now consider the case where

infinite bug threshold > black-market value

This is the good case. It means that if the manufacturer offered a prize equal to the black-market value of an exploit, any rational security researcher who found a vulnerability, could sell it to the manufacturer rather than offering it on the black market (assuming they would find the manufacturer more reliable and pleasant to deal with than the Russian cyber-mafia). And we're below the infinite bug threshold, so by definition the manufacturer only has to pay out a finite and manageable number of those prizes, before all such vulnerabilities have been found and fixed. I've made a couple of optimistic assumptions here, such as that the manufacturer would be willing to pay prizes in the first place, and that they could correctly estimate what the black-market value of a bug would be. But at least there's hope.

On other hand, if

infinite bug threshold < black market value

everything gets much worse. This means that no matter how many vulnerabilities you find and fix, by the definition of the infinite bug threshold there will always be another vulnerability that a black-hat will find it worthwhile to discover and exploit.

And that's the pessimistic scenario where it doesn't really matter whether Microsoft chooses the envelope with the vulnerability or the envelope with the $1,000, if the infinite-bug-threshold happens to be below $1,000. (Let's hope it's not that low in practice! But the same analysis would apply to any higher number.) If the black-market-value of a bug is at least $1,000, so that's what the attacker is willing to spend to find one, and if that's above the infinite-bug-threshold, then you might as well not bother fixing any particular bug at that level, because the attacker can always just find another one. It doesn't even matter whether you have a prize program or not; the product is in a permanent state of unfixable vulnerability.

At that point, the only ways to flip the direction of the inequality, to reach the state where "infinite bug threshold > black-market value", would be to decrease the black market value of the vulnerability, or increase the infinite bug threshold for your product. To decrease the black market value, you could implement more severe punishments for cyber-criminals, which makes them less willing to commit risky crimes using a security exploit. Or you could implement greater checks and balances to prevent financial fraud, which decreases the incentives for exploits. But these are society-wide changes that would not be under the control of the software manufacturer. (I'm not sure if there's anything a software company could do by themselves to lower the black-market value of a vulnerability in their product, other than voluntarily decreasing their own market share so that there are fewer computers that can be compromised using their software! Can you think of any other way?)

Raising the infinite bug threshold for the product, on the other hand, may require re-writing the software from scratch, or at least the most vulnerable components, paying stricter attention to security-conscious programming standards. Professor Kohno said after his talk that he believed that if the programmers of the car's embedded systems had followed better security coding practices, such as the principle of least privilege, then his team would not have found vulnerabilities so easily.

I still believe that cash prizes have the potential to achieve security utopia, at least with regard to the particular programs the prizes are offered for — but only where the "infinite bug threshold > black-market value" inequality holds, and only if the company is willing to offer the prizes. If the software is written in a security-conscious manner such that the infinite bug threshold is likely to be higher than the black-market value, and the manufacturer offers a vulnerability prize at least equal to the black-market value, then virtually all vulnerabilities which can be found for less than that much effort, will be reported to the manufacturer and fixed. Once that nirvana has been achieved, for an attacker to find a new exploit, the attacker would have to be (1) irrational (spending an estimated $70,000 to find a vulnerability that is only worth $50,000), and (2) evil beyond merely profit motive (using the bug for $50,000 of ill-gotten gain, instead of simply turning it in to the manufacturer for the same amount of money!). That's not logically impossible, but we would expect it to be rare.

On the other hand, for programs and classes of vulnerabilities where "infinite bug threshold < black-market value", there is literally nothing that can be done to make them secure against an attacker who has time to find the next exploit. You can have multiple lines of defense, like installing anti-virus software on your PC in case a website uses a vulnerability in Internet Explorer to try and infect your computer with a virus. But Kaspersky doesn't make anything for cars.

thomst writes "Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.' The malware, dubbed 'The Mask' by Kaspersky's researchers, targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, research organizations, and activists. It had been loose on the Internet since at least 2007 before being shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773, affecting both Windows and Linux machines. Users were directed to the site via spearphishing emails."

tsu doh nimh writes "If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new OAuth service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground. From KrebsOnSecurity: 'The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeperâ(TM)s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure thatâ(TM)s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.'" A recent report from Kaspersky (PDF) also highlighted the trend toward phishing attepts targeting Facebook, Google, and Yahoo accounts alongside bank accounts.

An anonymous reader writes "Yesterday afternoon, Kaspersky Labs released a definition update that blocked all Internet and Intranet access on Windows XP workstations. While there has been no official communication from Kaspersky, their forum is lit up with angry customers relying on each other to find a fix." Update: 02/05 16:42 GMT by T : Thanks to an anonymous reader, who says that Kaspersky has issued a statement, and a fix (though the fix takes some manual labor to implement).

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases. Which OS/OSs do you run?
by magic maverick

While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g., run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

Eugene Kaspersky: I'm afraid my answer's nothing special — I've got Windows 7 on my laptop + Kaspersky Internet Security 2013. To put it short, I've no need for any other operating systems like Ubuntu or Mac OS, and some software I need is available only under Windows.

Special thing about my devices is that I don't have a smartphone. I use a good old Sony Ericsson, whose most advanced feature is its (handy) flashlight. A simple phone like this is the safest mobile you could ever choose!

On this topic I also have a few tips I can share with you:

• Outside the KL corporate network I always use a VPN connection. If you have the possibility to use VPN — do so. It's a very useful way to minimize risks.
• Always use quality security software and keep it updated (automatically). That is an absolute must.
• I prefer using browsers with a relatively high security level (e.g., Chrome) and I disable scripts in it.
• And finally, the most important rule — also the simplest: always — always — use your head. I'm certain that the above + common sense is perfectly sufficient for secure personal use.

What color is your hat?
by eldavojohn

I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?

EK: No, no and no. We don't develop malware and we don't publish exploits. Both happen to be illegal — and amoral. I don't recommend you doing either too.

Firemen don't start fires, doctors don't infect people, and antivirus companies don't create viruses. Any at all.

We detect 200,000 new threats every day as it is. Keeping on top of them all is quite a task. And another thing — we don't hire ex-hackers. Our business is built on trust, and we apply the highest standards in sensitive areas of our work: in malware analysis, product development, etc. Like a homicide detective doesn't need to kill to investigate a murder more effectively, a good expert doesn't need to be on the dark side to analyze viruses and predict what may come next.

Why do we still use the black list security model?
by Zaphod-AVA

Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

Imagine a whitelist that checks with a central repository that reputable software manufacturers send their updates to. Even with updates, checking the software you regularly run is now a simpler problem then comparing everything you run to a list of all the malware in existence.

EK: Actually we do use a whitelist security approach. Modern antiviruses are not simply based on signature analysis; they are sophisticated pieces of software containing whitelisting as well. Faced with constantly increasing malicious activity, the AV industry needs to seriously toughen up and come up with new approaches. One such new approach is the application of whitelisting technology.

Whitelisting takes a different view of computer files. It doesn't look for the bad things on your PC like with the traditional pattern-based approach, instead it just checks if files are safe based on whether such files are already whitelisted — already in the whitelist database of known-to-be-ok software. Any files that aren't already whitelisted are marked as potentially bogus. Our whitelist of ok'ed files is now populated by more than 530 million green-lighted files.

Now, depending on the settings you make in the antivirus program, files not included in the whitelist directory can be either automatically blocked (particularly useful in a corporate environment), or flagged as suspicious and sent for additional checks by anti-virus components. For the suspicious ones, a further stage of analysis can be performed by running them in Safe Run — an isolated sandbox environment from which maliciousness can't contaminate the computer's environment proper. Alternatively, right-clicking a file gives you its reputation info from our cloud-based KSN (video, details), which incidentally gets 400,000 file-checking requests per second!

The traditional pattern-based approach by its nature needs to catch 100% of all the maliciousness on a computer to be effective. Besides, every instance of malware needs to be analyzed and entered into a database, which takes time, and this is a crucial moment if we talk about epidemics. Whitelisting, on the other hand, isn't bothered about bogusness directly — it's not its concern. It concentrates instead on simply detecting possibly bogus files — files not included in the whitelist, just in case, as it were. And this task is completed in seconds — much quicker the traditional approach's task. Since today we detect around 200,000 malware samples every day, and this figure is only going to keep on increasing, just in case becomes crucially important, and isn't just some new bell/whistle addition to traditional antivirus.

Of course, let the pattern approach keep at it with the baddies, which it is doing, valiantly. But also let whitelisting do its thing with goodies. The result? Superior overall protection — a lot quicker. Kind of what we're all after, after all .

Re: Assembly code and vulnerability of Apple
by dave562

We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OS X, they get a bunch of home computers and some audio visual professionals.

Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc.) is written in Assembly, do you foresee any tipping point coming where OS X will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and widespread deployment of Windows?

EK: Cybercrime today is no game; it's a very successful business. Its underlying principle is simple: risks are taken and attacks are invested in only if lots of money can be earned. The more users you can reach — the more money you may get. Simple. These days Mac OS market share is high enough to be attractive to the bad guys. In 2011 it was estimated that Apple had over 5% of worldwide desktop/laptop market share. And figures by web-tracking company Net Applications for the month of August 2012 show that Apple's combined share of the desktop market — counting versions 10.4 and after of OS X — is 7.11%, while Windows Vista for example takes 6.1%! This is a significant figure already, and that's why cyber criminals are turning their heads towards Apple.

The Flashfake epidemic, the first global Trojan for Mac OS, highlighted two things:

First, it showed that the most popular Windows attack scenario can be easily copied for Mac: a Trojan spreads via drive — by downloads — no user interaction needed, no clicks, no admin password. Just surf to a hacked website and the malware gets installed onto your computer automatically.

Second, epidemics are indeed now possible for Mac: if you compare the number of computers infected by Flashfake with the overall number of Macs, you'll find out that the "iBotnet" can be compared to Conficker — the biggest PC-botnet in history!

In sum this all means that we've reached the stage where attacks on Mac OS have become a usual phenomenon — not unusual as claimed in the past. And the scale will only increase. The Apple marketing people may not like it, but it's time to admit it — yes guys, your system is as vulnerable as Windows. Don't ignore the lesson of Flashfake. Think serious about security, not just different [sic].

Re: Healthcare/industry-specific software?
by HideyoshiJ

Many pieces of software and hardware used in healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?

EK: What works best in these circumstances is whitelisting. We realized the importance of whitelisting a long time ago when we started our whitelisting program. Like many technologies, whitelisting is not a solution by itself, but in terms of more completely protected machines in healthcare it really does help. What's more, because such machines generally go unchanged the whitelisting rules can be extra strict. In our experience this works very well, especially in combination with technologies such as exploit prevention.

Anonymous Internet IDs
by AaronLS

Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

EK: Firstly, in my opinion, Internet IDs aren't necessary for every type of Internet activity. Let me clarify in what cases I think Internet ID is needed. I believe the World Wide Web should be divided into three zones. Red zone is for critical processes: voting in elections, online banking, interactions with official bodies, and other critical transactions. For operations in this zone an Internet ID should be necessary. This is in everyone's interest — no one wants to lose private data which in some cases may lead to losing money, for example. Then comes the grey zone, where minimal authorization is needed. For example, age verification for online shops selling alcohol or adult stores. I don't think an Internet ID is necessary for this zone. You're right — Open ID is enough. And finally — the green zone: blogs, social networks, news sites, chats ... — everything related to your freedom of speech. No authorization required.

I suggest using special proxies for surfing in the red zone. You register using your Internet ID and then you use a nickname. Nobody can see your real name. If you break the law, your identity is subject to disclosure after legal procedures and a court decision. I want to stress that nobody can discover your real identity if you observe the law.

Re: Online anonymity
by gallondr00nk

Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organizing resistance and circumventing censorship or oppression. In light of that have you modified your views on the "Internet ID"?

EK: My position on Internet ID is developing. The more governments speak about regulation of the Internet, the more liberal I become. I'm really worried that one day governments will go too far in their attempts to control the WWW and its users.

After the Arab spring I've slightly changed my views on the subject. I still think that Internet IDs are required for certain operations, but as I've explained above, you don't need them when, say, surfing social networks. And as far as I know it was specifically Twitter and Facebook that were used as communication tools for protesters during the Arab Spring.

Re: "Approved" Spyware
by Fnord666

I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you, offer a version of your products that identified and disabled this spyware?

EK: There is nobody who can forbid me from discussing this topic, so here you go. The short answer is no — we don't have relations with state sponsored agencies in the way you describe. Nor ever will.

Reputation is an extremely important asset in our business. If you let somebody be your bodyguard you need to be 100% sure that you can rely on this guy. And it's the same for users and companies when choosing security software. Trust is everything for us. If we had such a skeleton in the closet, our rep would go into nosedive. And believe me, such a skeleton would be found if it ever existed: I'm pretty sure that our products are analyzed scrupulously by competitors, cyber criminals and governments. No, secret agreements with state agencies like the one you imagine — there's never been such a thing nor ever will be.

Kaspersky's relationship with the government
by swb

Does Kaspersky have a relationship with the Putin administration or the FSB? Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus? Should a security minded person be concerned with the geographic origin of security software?

EK: Firstly, we have relations with law enforcement agencies in many countries, not only in Russia, as per which we provide expertise. Moreover, all the world's leading security companies — Symantec, McAfee/Intel, and Kaspersky Lab — we all collaborate with law enforcement bodies in our own countries and worldwide — to help fight cybercrime. CERTs, the FBI, FSB, Interpol, etc. — our duty is to help them investigate criminal cases.

Without the expertise of security professionals, successful law enforcement operations would be an unattainable dream. When cybercrime cases are domestic, IT Security companies work with their law enforcement agencies to assist in investigations. When they're international, they work with the appropriate law enforcement authorities of the affected countries to abide by legal policies and federal jurisdictions. This cooperation is crucial in fighting cybercrime worldwide, and we are proud to be a part of the process.

Secondly, Kaspersky Lab is a private international company which registered its holding in Great Britain in 2006. This means that our financial reporting is completely transparent and freely available to anyone. As a private company we act independently. There's no organization that could influence our business or product development.

And finally, regarding origin: Paranoia can be useful sometimes, but you should have good reasons for it. Should the security minded person be concerned that his/her laptop is assembled in China? Or that Intel, which produces most processors, has plants not only in the US, but also in Israel, Ireland and China too? Many other chip companies of course design their chips but have them produced by third parties — mostly in Taiwan and China. Should one be worried that one of the leading Microsoft R&D centers is situated in Israel? Or that the SAP headquarters is in Germany, Sony's in Japan, and Acer's in Taiwan?

We live in the age of globalization. Kaspersky Lab has R&D centers and virus experts around the world, including Russia, Europe, Japan, China, the United States and Latin America. It's simply not a question of origin any more.

In the early 2000s, when we first entered both the UK and US markets, we were perceived with a somewhat prejudiced attitude. Nobody took much notice of our product quality, but only in its origin. However, I think that was because of lack of information about our company and the products we supplied. With years the situation has changed: it's impossible for a superior quality product to stay ignored.

Are you safe Mr. Kaspersky?

by Lieutenant_Dan

You're operating out of the same country that has a ton of botnet operators raking in some decent dough with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

EK: Botnet operators? Cyber criminals? I'd say they're the most tamed animals in our zoo! In recent years we've been discovering much wilder, more dangerous stuff — more and more viruses that can be classified as cyber weapons, created by nation states or by private companies sponsored by them.

Though you can never be absolutely safe, our staff hasn't been threatened, and I hope never will be. This may be because we fight malware, we don't conduct criminal investigations. This is what the police should do.

Re: Your secure OS
by lister king of smeg

You plan on making a secure OS for industrial/infrastructure systems; do you plan on basing it on preexisting open kernels, such as BSD, Linux, Haiku, or Mach? Will it be Unix/Posix like? Will it be a monolithic or micro kernel? Or are you thinking more of a hypervisor that hosts and monitors the guest OS for SCADA systems?

It will not be based on Linux or any other OS. Existing operating systems weren't created with security in mind. Security is an extra option for many of them, and vulnerabilities are inevitable. Of course existing systems have a lot going for them — and we recognize that. But I think that their level of security isn't high enough to cope with today's threats.

We're developing our OS at the micro kernel level.

We support the POSIX standard to the extent it does not contradict with our security principles. Our main target is to create a development platform for those interested in producing software or hardware with very high levels of security. As for a hypervisor, its creation is not our original intent, although we're not completely disregarding such a development path.

Re: Your exploit-free OS
by eldavojohn

Recently you confirmed you're working on an exploit-free OS following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch but I can't find many details on what it's going to look like architecturally. You say: "Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won't allow an intruder to gain control over it or to run malicious code."

Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian, and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable, but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

EK: This highly-complex project is extremely time consuming. We are still writing the code but we already have several working prototypes.

Don't believe the skeptic inside you. It is possible. Our OS will guarantee the possibility to run just preliminarily and explicitly declared functionality. I'm afraid I'm not ready to disclose much information at this stage — our rivals are watching. We are also currently collaborating with hardware manufacturers. Where there is a need for a superior level of security we plan to provide an integral, reliable computer appliance developed by our own team of specialists. Regarding architecture, we're not restricting ourselves to anything specific such as x86 or ARM. The hardware will definitely have to meet some specific requirements because it will have a direct bearing on the ability to ensure the required security guarantees. Follow our news — it's going to be interesting.

Re: The importance of programming language to SCADA security?
by Anonymous Coward

How important will the process of choosing a "language-based system" be to ensure the security of the operating system you envision? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from: Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-name Midori).

EK: Using a type-safe language is an interesting and promising approach, although we're not using it in our micro-kernel. We give a higher priority to tailoring OS architecture along with our security principles, which do not depend on the implementation language. More details on the approaches we use we'll share later.

Re: Malware's history and future?
by Anonymous Coward

You've been in computer security a long time, and have seen many things come and go. DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else). What's changed? What's remained the same? What about the malware creators — has their motivation changed? Where do you believe things are headed?

EK: Twenty years ago malware was a curious toy for programmers. Ten years ago it was a criminal instrument for bad guys who wanted to earn some money. Today it's a cyber weapon for governments. And that is the main and the most dangerous tendency of recent years.

Recent malware — Stuxnet, Duqu, Flame, Gauss — proved that cyber weapons (i) are relatively cheap to produce, (ii) are effective, (iii) mostly go undetected, (iv) leave their authors anonymous, and (v) can be easily replicated. And they're hard to protect against. They look like perfect weapons to some governments. In the meantime, Pandora's box is now wide open.

The most dangerous aspect of cyber weapons is their unpredictable side effects. A worst case scenario is when a cyber weapon aimed at a specific industrial object — like, say, Stuxnet — isn't actually able to accurately pick out its victim — either down to a mistake in the algorithm or a banal error in the code. As a result of such an attack the targeted victim — let's say a nuclear power station — would not be the only one affected: all the other nuclear stations in the world built with the same design would be too. Sounds scary, doesn't it? And without control from an international body, it could become more than scary: catastrophic.

As concerns home/consumer users, the defining feature of the next decade will be an enormous shift to mobile OS — and all the cyber criminals will be there already to greet them. The more financial transactions we conduct using smartphones, the more cyber criminals will target them. Future developments are likely to see more mobile botnets and drive-by downloads. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We're also likely to see more mobile botnets, of the sort created using the RootSmart backdoor.

Digital concepts young people should learn?
by davecrusoe

There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc.). But what interests me is what we should be teaching our young people (children in primary and secondary school) with respect to the expertise we wished all adults possessed. In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc.)?

EK: The most important advice I can give to young people is to always use your head. It might sound too simplistic, but if everyone who surfs online followed this rule the risks would be minimized. Don't download suspicious applications, and use social networks with caution. The largest portion of viruses is being spread with the use of social engineering, so never open links or files from unknown persons. Never ever! And even if you know the person, double check before doing so. Another way is to open suspicious files or links in a Sandbox mode.

Also, always use up-to-date quality security software. Free AV products are not a solution. Don't forget to update your system regularly. Install all the patches from the software developer and don't ignore update notifications.

By following these few simple rules you can minimize the risks online. As I mentioned, I've got standard Windows running with Internet Security, and I don't experience any problems with online surfing.

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases. Which OS/OSs do you run?
by magic maverick

While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g., run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

Eugene Kaspersky: I'm afraid my answer's nothing special — I've got Windows 7 on my laptop + Kaspersky Internet Security 2013. To put it short, I've no need for any other operating systems like Ubuntu or Mac OS, and some software I need is available only under Windows.

Special thing about my devices is that I don't have a smartphone. I use a good old Sony Ericsson, whose most advanced feature is its (handy) flashlight. A simple phone like this is the safest mobile you could ever choose!

On this topic I also have a few tips I can share with you:

• Outside the KL corporate network I always use a VPN connection. If you have the possibility to use VPN — do so. It's a very useful way to minimize risks.
• Always use quality security software and keep it updated (automatically). That is an absolute must.
• I prefer using browsers with a relatively high security level (e.g., Chrome) and I disable scripts in it.
• And finally, the most important rule — also the simplest: always — always — use your head. I'm certain that the above + common sense is perfectly sufficient for secure personal use.

What color is your hat?
by eldavojohn

I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?

EK: No, no and no. We don't develop malware and we don't publish exploits. Both happen to be illegal — and amoral. I don't recommend you doing either too.

Firemen don't start fires, doctors don't infect people, and antivirus companies don't create viruses. Any at all.

We detect 200,000 new threats every day as it is. Keeping on top of them all is quite a task. And another thing — we don't hire ex-hackers. Our business is built on trust, and we apply the highest standards in sensitive areas of our work: in malware analysis, product development, etc. Like a homicide detective doesn't need to kill to investigate a murder more effectively, a good expert doesn't need to be on the dark side to analyze viruses and predict what may come next.

Why do we still use the black list security model?
by Zaphod-AVA

Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

Imagine a whitelist that checks with a central repository that reputable software manufacturers send their updates to. Even with updates, checking the software you regularly run is now a simpler problem then comparing everything you run to a list of all the malware in existence.

EK: Actually we do use a whitelist security approach. Modern antiviruses are not simply based on signature analysis; they are sophisticated pieces of software containing whitelisting as well. Faced with constantly increasing malicious activity, the AV industry needs to seriously toughen up and come up with new approaches. One such new approach is the application of whitelisting technology.

Whitelisting takes a different view of computer files. It doesn't look for the bad things on your PC like with the traditional pattern-based approach, instead it just checks if files are safe based on whether such files are already whitelisted — already in the whitelist database of known-to-be-ok software. Any files that aren't already whitelisted are marked as potentially bogus. Our whitelist of ok'ed files is now populated by more than 530 million green-lighted files.

Now, depending on the settings you make in the antivirus program, files not included in the whitelist directory can be either automatically blocked (particularly useful in a corporate environment), or flagged as suspicious and sent for additional checks by anti-virus components. For the suspicious ones, a further stage of analysis can be performed by running them in Safe Run — an isolated sandbox environment from which maliciousness can't contaminate the computer's environment proper. Alternatively, right-clicking a file gives you its reputation info from our cloud-based KSN (video, details), which incidentally gets 400,000 file-checking requests per second!

The traditional pattern-based approach by its nature needs to catch 100% of all the maliciousness on a computer to be effective. Besides, every instance of malware needs to be analyzed and entered into a database, which takes time, and this is a crucial moment if we talk about epidemics. Whitelisting, on the other hand, isn't bothered about bogusness directly — it's not its concern. It concentrates instead on simply detecting possibly bogus files — files not included in the whitelist, just in case, as it were. And this task is completed in seconds — much quicker the traditional approach's task. Since today we detect around 200,000 malware samples every day, and this figure is only going to keep on increasing, just in case becomes crucially important, and isn't just some new bell/whistle addition to traditional antivirus.

Of course, let the pattern approach keep at it with the baddies, which it is doing, valiantly. But also let whitelisting do its thing with goodies. The result? Superior overall protection — a lot quicker. Kind of what we're all after, after all .

Re: Assembly code and vulnerability of Apple
by dave562

We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OS X, they get a bunch of home computers and some audio visual professionals.

Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc.) is written in Assembly, do you foresee any tipping point coming where OS X will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and widespread deployment of Windows?

EK: Cybercrime today is no game; it's a very successful business. Its underlying principle is simple: risks are taken and attacks are invested in only if lots of money can be earned. The more users you can reach — the more money you may get. Simple. These days Mac OS market share is high enough to be attractive to the bad guys. In 2011 it was estimated that Apple had over 5% of worldwide desktop/laptop market share. And figures by web-tracking company Net Applications for the month of August 2012 show that Apple's combined share of the desktop market — counting versions 10.4 and after of OS X — is 7.11%, while Windows Vista for example takes 6.1%! This is a significant figure already, and that's why cyber criminals are turning their heads towards Apple.

The Flashfake epidemic, the first global Trojan for Mac OS, highlighted two things:

First, it showed that the most popular Windows attack scenario can be easily copied for Mac: a Trojan spreads via drive — by downloads — no user interaction needed, no clicks, no admin password. Just surf to a hacked website and the malware gets installed onto your computer automatically.

Second, epidemics are indeed now possible for Mac: if you compare the number of computers infected by Flashfake with the overall number of Macs, you'll find out that the "iBotnet" can be compared to Conficker — the biggest PC-botnet in history!

In sum this all means that we've reached the stage where attacks on Mac OS have become a usual phenomenon — not unusual as claimed in the past. And the scale will only increase. The Apple marketing people may not like it, but it's time to admit it — yes guys, your system is as vulnerable as Windows. Don't ignore the lesson of Flashfake. Think serious about security, not just different [sic].

Re: Healthcare/industry-specific software?
by HideyoshiJ

Many pieces of software and hardware used in healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?

EK: What works best in these circumstances is whitelisting. We realized the importance of whitelisting a long time ago when we started our whitelisting program. Like many technologies, whitelisting is not a solution by itself, but in terms of more completely protected machines in healthcare it really does help. What's more, because such machines generally go unchanged the whitelisting rules can be extra strict. In our experience this works very well, especially in combination with technologies such as exploit prevention.

Anonymous Internet IDs
by AaronLS

Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

EK: Firstly, in my opinion, Internet IDs aren't necessary for every type of Internet activity. Let me clarify in what cases I think Internet ID is needed. I believe the World Wide Web should be divided into three zones. Red zone is for critical processes: voting in elections, online banking, interactions with official bodies, and other critical transactions. For operations in this zone an Internet ID should be necessary. This is in everyone's interest — no one wants to lose private data which in some cases may lead to losing money, for example. Then comes the grey zone, where minimal authorization is needed. For example, age verification for online shops selling alcohol or adult stores. I don't think an Internet ID is necessary for this zone. You're right — Open ID is enough. And finally — the green zone: blogs, social networks, news sites, chats ... — everything related to your freedom of speech. No authorization required.

I suggest using special proxies for surfing in the red zone. You register using your Internet ID and then you use a nickname. Nobody can see your real name. If you break the law, your identity is subject to disclosure after legal procedures and a court decision. I want to stress that nobody can discover your real identity if you observe the law.

Re: Online anonymity
by gallondr00nk

Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organizing resistance and circumventing censorship or oppression. In light of that have you modified your views on the "Internet ID"?

EK: My position on Internet ID is developing. The more governments speak about regulation of the Internet, the more liberal I become. I'm really worried that one day governments will go too far in their attempts to control the WWW and its users.

After the Arab spring I've slightly changed my views on the subject. I still think that Internet IDs are required for certain operations, but as I've explained above, you don't need them when, say, surfing social networks. And as far as I know it was specifically Twitter and Facebook that were used as communication tools for protesters during the Arab Spring.

Re: "Approved" Spyware
by Fnord666

I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you, offer a version of your products that identified and disabled this spyware?

EK: There is nobody who can forbid me from discussing this topic, so here you go. The short answer is no — we don't have relations with state sponsored agencies in the way you describe. Nor ever will.

Reputation is an extremely important asset in our business. If you let somebody be your bodyguard you need to be 100% sure that you can rely on this guy. And it's the same for users and companies when choosing security software. Trust is everything for us. If we had such a skeleton in the closet, our rep would go into nosedive. And believe me, such a skeleton would be found if it ever existed: I'm pretty sure that our products are analyzed scrupulously by competitors, cyber criminals and governments. No, secret agreements with state agencies like the one you imagine — there's never been such a thing nor ever will be.

Kaspersky's relationship with the government
by swb

Does Kaspersky have a relationship with the Putin administration or the FSB? Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus? Should a security minded person be concerned with the geographic origin of security software?

EK: Firstly, we have relations with law enforcement agencies in many countries, not only in Russia, as per which we provide expertise. Moreover, all the world's leading security companies — Symantec, McAfee/Intel, and Kaspersky Lab — we all collaborate with law enforcement bodies in our own countries and worldwide — to help fight cybercrime. CERTs, the FBI, FSB, Interpol, etc. — our duty is to help them investigate criminal cases.

Without the expertise of security professionals, successful law enforcement operations would be an unattainable dream. When cybercrime cases are domestic, IT Security companies work with their law enforcement agencies to assist in investigations. When they're international, they work with the appropriate law enforcement authorities of the affected countries to abide by legal policies and federal jurisdictions. This cooperation is crucial in fighting cybercrime worldwide, and we are proud to be a part of the process.

Secondly, Kaspersky Lab is a private international company which registered its holding in Great Britain in 2006. This means that our financial reporting is completely transparent and freely available to anyone. As a private company we act independently. There's no organization that could influence our business or product development.

And finally, regarding origin: Paranoia can be useful sometimes, but you should have good reasons for it. Should the security minded person be concerned that his/her laptop is assembled in China? Or that Intel, which produces most processors, has plants not only in the US, but also in Israel, Ireland and China too? Many other chip companies of course design their chips but have them produced by third parties — mostly in Taiwan and China. Should one be worried that one of the leading Microsoft R&D centers is situated in Israel? Or that the SAP headquarters is in Germany, Sony's in Japan, and Acer's in Taiwan?

We live in the age of globalization. Kaspersky Lab has R&D centers and virus experts around the world, including Russia, Europe, Japan, China, the United States and Latin America. It's simply not a question of origin any more.

In the early 2000s, when we first entered both the UK and US markets, we were perceived with a somewhat prejudiced attitude. Nobody took much notice of our product quality, but only in its origin. However, I think that was because of lack of information about our company and the products we supplied. With years the situation has changed: it's impossible for a superior quality product to stay ignored.

Are you safe Mr. Kaspersky?

by Lieutenant_Dan

You're operating out of the same country that has a ton of botnet operators raking in some decent dough with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

EK: Botnet operators? Cyber criminals? I'd say they're the most tamed animals in our zoo! In recent years we've been discovering much wilder, more dangerous stuff — more and more viruses that can be classified as cyber weapons, created by nation states or by private companies sponsored by them.

Though you can never be absolutely safe, our staff hasn't been threatened, and I hope never will be. This may be because we fight malware, we don't conduct criminal investigations. This is what the police should do.

Re: Your secure OS
by lister king of smeg

You plan on making a secure OS for industrial/infrastructure systems; do you plan on basing it on preexisting open kernels, such as BSD, Linux, Haiku, or Mach? Will it be Unix/Posix like? Will it be a monolithic or micro kernel? Or are you thinking more of a hypervisor that hosts and monitors the guest OS for SCADA systems?

It will not be based on Linux or any other OS. Existing operating systems weren't created with security in mind. Security is an extra option for many of them, and vulnerabilities are inevitable. Of course existing systems have a lot going for them — and we recognize that. But I think that their level of security isn't high enough to cope with today's threats.

We're developing our OS at the micro kernel level.

We support the POSIX standard to the extent it does not contradict with our security principles. Our main target is to create a development platform for those interested in producing software or hardware with very high levels of security. As for a hypervisor, its creation is not our original intent, although we're not completely disregarding such a development path.

Re: Your exploit-free OS
by eldavojohn

Recently you confirmed you're working on an exploit-free OS following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch but I can't find many details on what it's going to look like architecturally. You say: "Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won't allow an intruder to gain control over it or to run malicious code."

Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian, and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable, but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

EK: This highly-complex project is extremely time consuming. We are still writing the code but we already have several working prototypes.

Don't believe the skeptic inside you. It is possible. Our OS will guarantee the possibility to run just preliminarily and explicitly declared functionality. I'm afraid I'm not ready to disclose much information at this stage — our rivals are watching. We are also currently collaborating with hardware manufacturers. Where there is a need for a superior level of security we plan to provide an integral, reliable computer appliance developed by our own team of specialists. Regarding architecture, we're not restricting ourselves to anything specific such as x86 or ARM. The hardware will definitely have to meet some specific requirements because it will have a direct bearing on the ability to ensure the required security guarantees. Follow our news — it's going to be interesting.

Re: The importance of programming language to SCADA security?
by Anonymous Coward

How important will the process of choosing a "language-based system" be to ensure the security of the operating system you envision? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from: Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-name Midori).

EK: Using a type-safe language is an interesting and promising approach, although we're not using it in our micro-kernel. We give a higher priority to tailoring OS architecture along with our security principles, which do not depend on the implementation language. More details on the approaches we use we'll share later.

Re: Malware's history and future?
by Anonymous Coward

You've been in computer security a long time, and have seen many things come and go. DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else). What's changed? What's remained the same? What about the malware creators — has their motivation changed? Where do you believe things are headed?

EK: Twenty years ago malware was a curious toy for programmers. Ten years ago it was a criminal instrument for bad guys who wanted to earn some money. Today it's a cyber weapon for governments. And that is the main and the most dangerous tendency of recent years.

Recent malware — Stuxnet, Duqu, Flame, Gauss — proved that cyber weapons (i) are relatively cheap to produce, (ii) are effective, (iii) mostly go undetected, (iv) leave their authors anonymous, and (v) can be easily replicated. And they're hard to protect against. They look like perfect weapons to some governments. In the meantime, Pandora's box is now wide open.

The most dangerous aspect of cyber weapons is their unpredictable side effects. A worst case scenario is when a cyber weapon aimed at a specific industrial object — like, say, Stuxnet — isn't actually able to accurately pick out its victim — either down to a mistake in the algorithm or a banal error in the code. As a result of such an attack the targeted victim — let's say a nuclear power station — would not be the only one affected: all the other nuclear stations in the world built with the same design would be too. Sounds scary, doesn't it? And without control from an international body, it could become more than scary: catastrophic.

As concerns home/consumer users, the defining feature of the next decade will be an enormous shift to mobile OS — and all the cyber criminals will be there already to greet them. The more financial transactions we conduct using smartphones, the more cyber criminals will target them. Future developments are likely to see more mobile botnets and drive-by downloads. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We're also likely to see more mobile botnets, of the sort created using the RootSmart backdoor.

Digital concepts young people should learn?
by davecrusoe

There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc.). But what interests me is what we should be teaching our young people (children in primary and secondary school) with respect to the expertise we wished all adults possessed. In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc.)?

EK: The most important advice I can give to young people is to always use your head. It might sound too simplistic, but if everyone who surfs online followed this rule the risks would be minimized. Don't download suspicious applications, and use social networks with caution. The largest portion of viruses is being spread with the use of social engineering, so never open links or files from unknown persons. Never ever! And even if you know the person, double check before doing so. Another way is to open suspicious files or links in a Sandbox mode.

Also, always use up-to-date quality security software. Free AV products are not a solution. Don't forget to update your system regularly. Install all the patches from the software developer and don't ignore update notifications.

By following these few simple rules you can minimize the risks online. As I mentioned, I've got standard Windows running with Internet Security, and I don't experience any problems with online surfing.

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases. Which OS/OSs do you run?
by magic maverick

While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g., run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

Eugene Kaspersky: I'm afraid my answer's nothing special — I've got Windows 7 on my laptop + Kaspersky Internet Security 2013. To put it short, I've no need for any other operating systems like Ubuntu or Mac OS, and some software I need is available only under Windows.

Special thing about my devices is that I don't have a smartphone. I use a good old Sony Ericsson, whose most advanced feature is its (handy) flashlight. A simple phone like this is the safest mobile you could ever choose!

On this topic I also have a few tips I can share with you:

• Outside the KL corporate network I always use a VPN connection. If you have the possibility to use VPN — do so. It's a very useful way to minimize risks.
• Always use quality security software and keep it updated (automatically). That is an absolute must.
• I prefer using browsers with a relatively high security level (e.g., Chrome) and I disable scripts in it.
• And finally, the most important rule — also the simplest: always — always — use your head. I'm certain that the above + common sense is perfectly sufficient for secure personal use.

What color is your hat?
by eldavojohn

I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?

EK: No, no and no. We don't develop malware and we don't publish exploits. Both happen to be illegal — and amoral. I don't recommend you doing either too.

Firemen don't start fires, doctors don't infect people, and antivirus companies don't create viruses. Any at all.

We detect 200,000 new threats every day as it is. Keeping on top of them all is quite a task. And another thing — we don't hire ex-hackers. Our business is built on trust, and we apply the highest standards in sensitive areas of our work: in malware analysis, product development, etc. Like a homicide detective doesn't need to kill to investigate a murder more effectively, a good expert doesn't need to be on the dark side to analyze viruses and predict what may come next.

Why do we still use the black list security model?
by Zaphod-AVA

Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

Imagine a whitelist that checks with a central repository that reputable software manufacturers send their updates to. Even with updates, checking the software you regularly run is now a simpler problem then comparing everything you run to a list of all the malware in existence.

EK: Actually we do use a whitelist security approach. Modern antiviruses are not simply based on signature analysis; they are sophisticated pieces of software containing whitelisting as well. Faced with constantly increasing malicious activity, the AV industry needs to seriously toughen up and come up with new approaches. One such new approach is the application of whitelisting technology.

Whitelisting takes a different view of computer files. It doesn't look for the bad things on your PC like with the traditional pattern-based approach, instead it just checks if files are safe based on whether such files are already whitelisted — already in the whitelist database of known-to-be-ok software. Any files that aren't already whitelisted are marked as potentially bogus. Our whitelist of ok'ed files is now populated by more than 530 million green-lighted files.

Now, depending on the settings you make in the antivirus program, files not included in the whitelist directory can be either automatically blocked (particularly useful in a corporate environment), or flagged as suspicious and sent for additional checks by anti-virus components. For the suspicious ones, a further stage of analysis can be performed by running them in Safe Run — an isolated sandbox environment from which maliciousness can't contaminate the computer's environment proper. Alternatively, right-clicking a file gives you its reputation info from our cloud-based KSN (video, details), which incidentally gets 400,000 file-checking requests per second!

The traditional pattern-based approach by its nature needs to catch 100% of all the maliciousness on a computer to be effective. Besides, every instance of malware needs to be analyzed and entered into a database, which takes time, and this is a crucial moment if we talk about epidemics. Whitelisting, on the other hand, isn't bothered about bogusness directly — it's not its concern. It concentrates instead on simply detecting possibly bogus files — files not included in the whitelist, just in case, as it were. And this task is completed in seconds — much quicker the traditional approach's task. Since today we detect around 200,000 malware samples every day, and this figure is only going to keep on increasing, just in case becomes crucially important, and isn't just some new bell/whistle addition to traditional antivirus.

Of course, let the pattern approach keep at it with the baddies, which it is doing, valiantly. But also let whitelisting do its thing with goodies. The result? Superior overall protection — a lot quicker. Kind of what we're all after, after all .

Re: Assembly code and vulnerability of Apple
by dave562

We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OS X, they get a bunch of home computers and some audio visual professionals.

Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc.) is written in Assembly, do you foresee any tipping point coming where OS X will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and widespread deployment of Windows?

EK: Cybercrime today is no game; it's a very successful business. Its underlying principle is simple: risks are taken and attacks are invested in only if lots of money can be earned. The more users you can reach — the more money you may get. Simple. These days Mac OS market share is high enough to be attractive to the bad guys. In 2011 it was estimated that Apple had over 5% of worldwide desktop/laptop market share. And figures by web-tracking company Net Applications for the month of August 2012 show that Apple's combined share of the desktop market — counting versions 10.4 and after of OS X — is 7.11%, while Windows Vista for example takes 6.1%! This is a significant figure already, and that's why cyber criminals are turning their heads towards Apple.

The Flashfake epidemic, the first global Trojan for Mac OS, highlighted two things:

First, it showed that the most popular Windows attack scenario can be easily copied for Mac: a Trojan spreads via drive — by downloads — no user interaction needed, no clicks, no admin password. Just surf to a hacked website and the malware gets installed onto your computer automatically.

Second, epidemics are indeed now possible for Mac: if you compare the number of computers infected by Flashfake with the overall number of Macs, you'll find out that the "iBotnet" can be compared to Conficker — the biggest PC-botnet in history!

In sum this all means that we've reached the stage where attacks on Mac OS have become a usual phenomenon — not unusual as claimed in the past. And the scale will only increase. The Apple marketing people may not like it, but it's time to admit it — yes guys, your system is as vulnerable as Windows. Don't ignore the lesson of Flashfake. Think serious about security, not just different [sic].

Re: Healthcare/industry-specific software?
by HideyoshiJ

Many pieces of software and hardware used in healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?

EK: What works best in these circumstances is whitelisting. We realized the importance of whitelisting a long time ago when we started our whitelisting program. Like many technologies, whitelisting is not a solution by itself, but in terms of more completely protected machines in healthcare it really does help. What's more, because such machines generally go unchanged the whitelisting rules can be extra strict. In our experience this works very well, especially in combination with technologies such as exploit prevention.

Anonymous Internet IDs
by AaronLS

Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

EK: Firstly, in my opinion, Internet IDs aren't necessary for every type of Internet activity. Let me clarify in what cases I think Internet ID is needed. I believe the World Wide Web should be divided into three zones. Red zone is for critical processes: voting in elections, online banking, interactions with official bodies, and other critical transactions. For operations in this zone an Internet ID should be necessary. This is in everyone's interest — no one wants to lose private data which in some cases may lead to losing money, for example. Then comes the grey zone, where minimal authorization is needed. For example, age verification for online shops selling alcohol or adult stores. I don't think an Internet ID is necessary for this zone. You're right — Open ID is enough. And finally — the green zone: blogs, social networks, news sites, chats ... — everything related to your freedom of speech. No authorization required.

I suggest using special proxies for surfing in the red zone. You register using your Internet ID and then you use a nickname. Nobody can see your real name. If you break the law, your identity is subject to disclosure after legal procedures and a court decision. I want to stress that nobody can discover your real identity if you observe the law.

Re: Online anonymity
by gallondr00nk

Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organizing resistance and circumventing censorship or oppression. In light of that have you modified your views on the "Internet ID"?

EK: My position on Internet ID is developing. The more governments speak about regulation of the Internet, the more liberal I become. I'm really worried that one day governments will go too far in their attempts to control the WWW and its users.

After the Arab spring I've slightly changed my views on the subject. I still think that Internet IDs are required for certain operations, but as I've explained above, you don't need them when, say, surfing social networks. And as far as I know it was specifically Twitter and Facebook that were used as communication tools for protesters during the Arab Spring.

Re: "Approved" Spyware
by Fnord666

I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you, offer a version of your products that identified and disabled this spyware?

EK: There is nobody who can forbid me from discussing this topic, so here you go. The short answer is no — we don't have relations with state sponsored agencies in the way you describe. Nor ever will.

Reputation is an extremely important asset in our business. If you let somebody be your bodyguard you need to be 100% sure that you can rely on this guy. And it's the same for users and companies when choosing security software. Trust is everything for us. If we had such a skeleton in the closet, our rep would go into nosedive. And believe me, such a skeleton would be found if it ever existed: I'm pretty sure that our products are analyzed scrupulously by competitors, cyber criminals and governments. No, secret agreements with state agencies like the one you imagine — there's never been such a thing nor ever will be.

Kaspersky's relationship with the government
by swb

Does Kaspersky have a relationship with the Putin administration or the FSB? Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus? Should a security minded person be concerned with the geographic origin of security software?

EK: Firstly, we have relations with law enforcement agencies in many countries, not only in Russia, as per which we provide expertise. Moreover, all the world's leading security companies — Symantec, McAfee/Intel, and Kaspersky Lab — we all collaborate with law enforcement bodies in our own countries and worldwide — to help fight cybercrime. CERTs, the FBI, FSB, Interpol, etc. — our duty is to help them investigate criminal cases.

Without the expertise of security professionals, successful law enforcement operations would be an unattainable dream. When cybercrime cases are domestic, IT Security companies work with their law enforcement agencies to assist in investigations. When they're international, they work with the appropriate law enforcement authorities of the affected countries to abide by legal policies and federal jurisdictions. This cooperation is crucial in fighting cybercrime worldwide, and we are proud to be a part of the process.

Secondly, Kaspersky Lab is a private international company which registered its holding in Great Britain in 2006. This means that our financial reporting is completely transparent and freely available to anyone. As a private company we act independently. There's no organization that could influence our business or product development.

And finally, regarding origin: Paranoia can be useful sometimes, but you should have good reasons for it. Should the security minded person be concerned that his/her laptop is assembled in China? Or that Intel, which produces most processors, has plants not only in the US, but also in Israel, Ireland and China too? Many other chip companies of course design their chips but have them produced by third parties — mostly in Taiwan and China. Should one be worried that one of the leading Microsoft R&D centers is situated in Israel? Or that the SAP headquarters is in Germany, Sony's in Japan, and Acer's in Taiwan?

We live in the age of globalization. Kaspersky Lab has R&D centers and virus experts around the world, including Russia, Europe, Japan, China, the United States and Latin America. It's simply not a question of origin any more.

In the early 2000s, when we first entered both the UK and US markets, we were perceived with a somewhat prejudiced attitude. Nobody took much notice of our product quality, but only in its origin. However, I think that was because of lack of information about our company and the products we supplied. With years the situation has changed: it's impossible for a superior quality product to stay ignored.

Are you safe Mr. Kaspersky?

by Lieutenant_Dan

You're operating out of the same country that has a ton of botnet operators raking in some decent dough with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

EK: Botnet operators? Cyber criminals? I'd say they're the most tamed animals in our zoo! In recent years we've been discovering much wilder, more dangerous stuff — more and more viruses that can be classified as cyber weapons, created by nation states or by private companies sponsored by them.

Though you can never be absolutely safe, our staff hasn't been threatened, and I hope never will be. This may be because we fight malware, we don't conduct criminal investigations. This is what the police should do.

Re: Your secure OS
by lister king of smeg

You plan on making a secure OS for industrial/infrastructure systems; do you plan on basing it on preexisting open kernels, such as BSD, Linux, Haiku, or Mach? Will it be Unix/Posix like? Will it be a monolithic or micro kernel? Or are you thinking more of a hypervisor that hosts and monitors the guest OS for SCADA systems?

It will not be based on Linux or any other OS. Existing operating systems weren't created with security in mind. Security is an extra option for many of them, and vulnerabilities are inevitable. Of course existing systems have a lot going for them — and we recognize that. But I think that their level of security isn't high enough to cope with today's threats.

We're developing our OS at the micro kernel level.

We support the POSIX standard to the extent it does not contradict with our security principles. Our main target is to create a development platform for those interested in producing software or hardware with very high levels of security. As for a hypervisor, its creation is not our original intent, although we're not completely disregarding such a development path.

Re: Your exploit-free OS
by eldavojohn

Recently you confirmed you're working on an exploit-free OS following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch but I can't find many details on what it's going to look like architecturally. You say: "Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won't allow an intruder to gain control over it or to run malicious code."

Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian, and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable, but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

EK: This highly-complex project is extremely time consuming. We are still writing the code but we already have several working prototypes.

Don't believe the skeptic inside you. It is possible. Our OS will guarantee the possibility to run just preliminarily and explicitly declared functionality. I'm afraid I'm not ready to disclose much information at this stage — our rivals are watching. We are also currently collaborating with hardware manufacturers. Where there is a need for a superior level of security we plan to provide an integral, reliable computer appliance developed by our own team of specialists. Regarding architecture, we're not restricting ourselves to anything specific such as x86 or ARM. The hardware will definitely have to meet some specific requirements because it will have a direct bearing on the ability to ensure the required security guarantees. Follow our news — it's going to be interesting.

Re: The importance of programming language to SCADA security?
by Anonymous Coward

How important will the process of choosing a "language-based system" be to ensure the security of the operating system you envision? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from: Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-name Midori).

EK: Using a type-safe language is an interesting and promising approach, although we're not using it in our micro-kernel. We give a higher priority to tailoring OS architecture along with our security principles, which do not depend on the implementation language. More details on the approaches we use we'll share later.

Re: Malware's history and future?
by Anonymous Coward

You've been in computer security a long time, and have seen many things come and go. DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else). What's changed? What's remained the same? What about the malware creators — has their motivation changed? Where do you believe things are headed?

EK: Twenty years ago malware was a curious toy for programmers. Ten years ago it was a criminal instrument for bad guys who wanted to earn some money. Today it's a cyber weapon for governments. And that is the main and the most dangerous tendency of recent years.

Recent malware — Stuxnet, Duqu, Flame, Gauss — proved that cyber weapons (i) are relatively cheap to produce, (ii) are effective, (iii) mostly go undetected, (iv) leave their authors anonymous, and (v) can be easily replicated. And they're hard to protect against. They look like perfect weapons to some governments. In the meantime, Pandora's box is now wide open.

The most dangerous aspect of cyber weapons is their unpredictable side effects. A worst case scenario is when a cyber weapon aimed at a specific industrial object — like, say, Stuxnet — isn't actually able to accurately pick out its victim — either down to a mistake in the algorithm or a banal error in the code. As a result of such an attack the targeted victim — let's say a nuclear power station — would not be the only one affected: all the other nuclear stations in the world built with the same design would be too. Sounds scary, doesn't it? And without control from an international body, it could become more than scary: catastrophic.

As concerns home/consumer users, the defining feature of the next decade will be an enormous shift to mobile OS — and all the cyber criminals will be there already to greet them. The more financial transactions we conduct using smartphones, the more cyber criminals will target them. Future developments are likely to see more mobile botnets and drive-by downloads. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We're also likely to see more mobile botnets, of the sort created using the RootSmart backdoor.

Digital concepts young people should learn?
by davecrusoe

There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc.). But what interests me is what we should be teaching our young people (children in primary and secondary school) with respect to the expertise we wished all adults possessed. In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc.)?

EK: The most important advice I can give to young people is to always use your head. It might sound too simplistic, but if everyone who surfs online followed this rule the risks would be minimized. Don't download suspicious applications, and use social networks with caution. The largest portion of viruses is being spread with the use of social engineering, so never open links or files from unknown persons. Never ever! And even if you know the person, double check before doing so. Another way is to open suspicious files or links in a Sandbox mode.

Also, always use up-to-date quality security software. Free AV products are not a solution. Don't forget to update your system regularly. Install all the patches from the software developer and don't ignore update notifications.

By following these few simple rules you can minimize the risks online. As I mentioned, I've got standard Windows running with Internet Security, and I don't experience any problems with online surfing.

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases. Which OS/OSs do you run?
by magic maverick

While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g., run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

Eugene Kaspersky: I'm afraid my answer's nothing special — I've got Windows 7 on my laptop + Kaspersky Internet Security 2013. To put it short, I've no need for any other operating systems like Ubuntu or Mac OS, and some software I need is available only under Windows.

Special thing about my devices is that I don't have a smartphone. I use a good old Sony Ericsson, whose most advanced feature is its (handy) flashlight. A simple phone like this is the safest mobile you could ever choose!

On this topic I also have a few tips I can share with you:

• Outside the KL corporate network I always use a VPN connection. If you have the possibility to use VPN — do so. It's a very useful way to minimize risks.
• Always use quality security software and keep it updated (automatically). That is an absolute must.
• I prefer using browsers with a relatively high security level (e.g., Chrome) and I disable scripts in it.
• And finally, the most important rule — also the simplest: always — always — use your head. I'm certain that the above + common sense is perfectly sufficient for secure personal use.

What color is your hat?
by eldavojohn

I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?

EK: No, no and no. We don't develop malware and we don't publish exploits. Both happen to be illegal — and amoral. I don't recommend you doing either too.

Firemen don't start fires, doctors don't infect people, and antivirus companies don't create viruses. Any at all.

We detect 200,000 new threats every day as it is. Keeping on top of them all is quite a task. And another thing — we don't hire ex-hackers. Our business is built on trust, and we apply the highest standards in sensitive areas of our work: in malware analysis, product development, etc. Like a homicide detective doesn't need to kill to investigate a murder more effectively, a good expert doesn't need to be on the dark side to analyze viruses and predict what may come next.

Why do we still use the black list security model?
by Zaphod-AVA

Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

Imagine a whitelist that checks with a central repository that reputable software manufacturers send their updates to. Even with updates, checking the software you regularly run is now a simpler problem then comparing everything you run to a list of all the malware in existence.

EK: Actually we do use a whitelist security approach. Modern antiviruses are not simply based on signature analysis; they are sophisticated pieces of software containing whitelisting as well. Faced with constantly increasing malicious activity, the AV industry needs to seriously toughen up and come up with new approaches. One such new approach is the application of whitelisting technology.

Whitelisting takes a different view of computer files. It doesn't look for the bad things on your PC like with the traditional pattern-based approach, instead it just checks if files are safe based on whether such files are already whitelisted — already in the whitelist database of known-to-be-ok software. Any files that aren't already whitelisted are marked as potentially bogus. Our whitelist of ok'ed files is now populated by more than 530 million green-lighted files.

Now, depending on the settings you make in the antivirus program, files not included in the whitelist directory can be either automatically blocked (particularly useful in a corporate environment), or flagged as suspicious and sent for additional checks by anti-virus components. For the suspicious ones, a further stage of analysis can be performed by running them in Safe Run — an isolated sandbox environment from which maliciousness can't contaminate the computer's environment proper. Alternatively, right-clicking a file gives you its reputation info from our cloud-based KSN (video, details), which incidentally gets 400,000 file-checking requests per second!

The traditional pattern-based approach by its nature needs to catch 100% of all the maliciousness on a computer to be effective. Besides, every instance of malware needs to be analyzed and entered into a database, which takes time, and this is a crucial moment if we talk about epidemics. Whitelisting, on the other hand, isn't bothered about bogusness directly — it's not its concern. It concentrates instead on simply detecting possibly bogus files — files not included in the whitelist, just in case, as it were. And this task is completed in seconds — much quicker the traditional approach's task. Since today we detect around 200,000 malware samples every day, and this figure is only going to keep on increasing, just in case becomes crucially important, and isn't just some new bell/whistle addition to traditional antivirus.

Of course, let the pattern approach keep at it with the baddies, which it is doing, valiantly. But also let whitelisting do its thing with goodies. The result? Superior overall protection — a lot quicker. Kind of what we're all after, after all .

Re: Assembly code and vulnerability of Apple
by dave562

We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OS X, they get a bunch of home computers and some audio visual professionals.

Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc.) is written in Assembly, do you foresee any tipping point coming where OS X will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and widespread deployment of Windows?

EK: Cybercrime today is no game; it's a very successful business. Its underlying principle is simple: risks are taken and attacks are invested in only if lots of money can be earned. The more users you can reach — the more money you may get. Simple. These days Mac OS market share is high enough to be attractive to the bad guys. In 2011 it was estimated that Apple had over 5% of worldwide desktop/laptop market share. And figures by web-tracking company Net Applications for the month of August 2012 show that Apple's combined share of the desktop market — counting versions 10.4 and after of OS X — is 7.11%, while Windows Vista for example takes 6.1%! This is a significant figure already, and that's why cyber criminals are turning their heads towards Apple.

The Flashfake epidemic, the first global Trojan for Mac OS, highlighted two things:

First, it showed that the most popular Windows attack scenario can be easily copied for Mac: a Trojan spreads via drive — by downloads — no user interaction needed, no clicks, no admin password. Just surf to a hacked website and the malware gets installed onto your computer automatically.

Second, epidemics are indeed now possible for Mac: if you compare the number of computers infected by Flashfake with the overall number of Macs, you'll find out that the "iBotnet" can be compared to Conficker — the biggest PC-botnet in history!

In sum this all means that we've reached the stage where attacks on Mac OS have become a usual phenomenon — not unusual as claimed in the past. And the scale will only increase. The Apple marketing people may not like it, but it's time to admit it — yes guys, your system is as vulnerable as Windows. Don't ignore the lesson of Flashfake. Think serious about security, not just different [sic].

Re: Healthcare/industry-specific software?
by HideyoshiJ

Many pieces of software and hardware used in healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?

EK: What works best in these circumstances is whitelisting. We realized the importance of whitelisting a long time ago when we started our whitelisting program. Like many technologies, whitelisting is not a solution by itself, but in terms of more completely protected machines in healthcare it really does help. What's more, because such machines generally go unchanged the whitelisting rules can be extra strict. In our experience this works very well, especially in combination with technologies such as exploit prevention.

Anonymous Internet IDs
by AaronLS

Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

EK: Firstly, in my opinion, Internet IDs aren't necessary for every type of Internet activity. Let me clarify in what cases I think Internet ID is needed. I believe the World Wide Web should be divided into three zones. Red zone is for critical processes: voting in elections, online banking, interactions with official bodies, and other critical transactions. For operations in this zone an Internet ID should be necessary. This is in everyone's interest — no one wants to lose private data which in some cases may lead to losing money, for example. Then comes the grey zone, where minimal authorization is needed. For example, age verification for online shops selling alcohol or adult stores. I don't think an Internet ID is necessary for this zone. You're right — Open ID is enough. And finally — the green zone: blogs, social networks, news sites, chats ... — everything related to your freedom of speech. No authorization required.

I suggest using special proxies for surfing in the red zone. You register using your Internet ID and then you use a nickname. Nobody can see your real name. If you break the law, your identity is subject to disclosure after legal procedures and a court decision. I want to stress that nobody can discover your real identity if you observe the law.

Re: Online anonymity
by gallondr00nk

Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organizing resistance and circumventing censorship or oppression. In light of that have you modified your views on the "Internet ID"?

EK: My position on Internet ID is developing. The more governments speak about regulation of the Internet, the more liberal I become. I'm really worried that one day governments will go too far in their attempts to control the WWW and its users.

After the Arab spring I've slightly changed my views on the subject. I still think that Internet IDs are required for certain operations, but as I've explained above, you don't need them when, say, surfing social networks. And as far as I know it was specifically Twitter and Facebook that were used as communication tools for protesters during the Arab Spring.

Re: "Approved" Spyware
by Fnord666

I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you, offer a version of your products that identified and disabled this spyware?

EK: There is nobody who can forbid me from discussing this topic, so here you go. The short answer is no — we don't have relations with state sponsored agencies in the way you describe. Nor ever will.

Reputation is an extremely important asset in our business. If you let somebody be your bodyguard you need to be 100% sure that you can rely on this guy. And it's the same for users and companies when choosing security software. Trust is everything for us. If we had such a skeleton in the closet, our rep would go into nosedive. And believe me, such a skeleton would be found if it ever existed: I'm pretty sure that our products are analyzed scrupulously by competitors, cyber criminals and governments. No, secret agreements with state agencies like the one you imagine — there's never been such a thing nor ever will be.

Kaspersky's relationship with the government
by swb

Does Kaspersky have a relationship with the Putin administration or the FSB? Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus? Should a security minded person be concerned with the geographic origin of security software?

EK: Firstly, we have relations with law enforcement agencies in many countries, not only in Russia, as per which we provide expertise. Moreover, all the world's leading security companies — Symantec, McAfee/Intel, and Kaspersky Lab — we all collaborate with law enforcement bodies in our own countries and worldwide — to help fight cybercrime. CERTs, the FBI, FSB, Interpol, etc. — our duty is to help them investigate criminal cases.

Without the expertise of security professionals, successful law enforcement operations would be an unattainable dream. When cybercrime cases are domestic, IT Security companies work with their law enforcement agencies to assist in investigations. When they're international, they work with the appropriate law enforcement authorities of the affected countries to abide by legal policies and federal jurisdictions. This cooperation is crucial in fighting cybercrime worldwide, and we are proud to be a part of the process.

Secondly, Kaspersky Lab is a private international company which registered its holding in Great Britain in 2006. This means that our financial reporting is completely transparent and freely available to anyone. As a private company we act independently. There's no organization that could influence our business or product development.

And finally, regarding origin: Paranoia can be useful sometimes, but you should have good reasons for it. Should the security minded person be concerned that his/her laptop is assembled in China? Or that Intel, which produces most processors, has plants not only in the US, but also in Israel, Ireland and China too? Many other chip companies of course design their chips but have them produced by third parties — mostly in Taiwan and China. Should one be worried that one of the leading Microsoft R&D centers is situated in Israel? Or that the SAP headquarters is in Germany, Sony's in Japan, and Acer's in Taiwan?

We live in the age of globalization. Kaspersky Lab has R&D centers and virus experts around the world, including Russia, Europe, Japan, China, the United States and Latin America. It's simply not a question of origin any more.

In the early 2000s, when we first entered both the UK and US markets, we were perceived with a somewhat prejudiced attitude. Nobody took much notice of our product quality, but only in its origin. However, I think that was because of lack of information about our company and the products we supplied. With years the situation has changed: it's impossible for a superior quality product to stay ignored.

Are you safe Mr. Kaspersky?

by Lieutenant_Dan

You're operating out of the same country that has a ton of botnet operators raking in some decent dough with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

EK: Botnet operators? Cyber criminals? I'd say they're the most tamed animals in our zoo! In recent years we've been discovering much wilder, more dangerous stuff — more and more viruses that can be classified as cyber weapons, created by nation states or by private companies sponsored by them.

Though you can never be absolutely safe, our staff hasn't been threatened, and I hope never will be. This may be because we fight malware, we don't conduct criminal investigations. This is what the police should do.

Re: Your secure OS
by lister king of smeg

You plan on making a secure OS for industrial/infrastructure systems; do you plan on basing it on preexisting open kernels, such as BSD, Linux, Haiku, or Mach? Will it be Unix/Posix like? Will it be a monolithic or micro kernel? Or are you thinking more of a hypervisor that hosts and monitors the guest OS for SCADA systems?

It will not be based on Linux or any other OS. Existing operating systems weren't created with security in mind. Security is an extra option for many of them, and vulnerabilities are inevitable. Of course existing systems have a lot going for them — and we recognize that. But I think that their level of security isn't high enough to cope with today's threats.

We're developing our OS at the micro kernel level.

We support the POSIX standard to the extent it does not contradict with our security principles. Our main target is to create a development platform for those interested in producing software or hardware with very high levels of security. As for a hypervisor, its creation is not our original intent, although we're not completely disregarding such a development path.

Re: Your exploit-free OS
by eldavojohn

Recently you confirmed you're working on an exploit-free OS following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch but I can't find many details on what it's going to look like architecturally. You say: "Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won't allow an intruder to gain control over it or to run malicious code."

Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian, and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable, but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

EK: This highly-complex project is extremely time consuming. We are still writing the code but we already have several working prototypes.

Don't believe the skeptic inside you. It is possible. Our OS will guarantee the possibility to run just preliminarily and explicitly declared functionality. I'm afraid I'm not ready to disclose much information at this stage — our rivals are watching. We are also currently collaborating with hardware manufacturers. Where there is a need for a superior level of security we plan to provide an integral, reliable computer appliance developed by our own team of specialists. Regarding architecture, we're not restricting ourselves to anything specific such as x86 or ARM. The hardware will definitely have to meet some specific requirements because it will have a direct bearing on the ability to ensure the required security guarantees. Follow our news — it's going to be interesting.

Re: The importance of programming language to SCADA security?
by Anonymous Coward

How important will the process of choosing a "language-based system" be to ensure the security of the operating system you envision? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from: Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-name Midori).

EK: Using a type-safe language is an interesting and promising approach, although we're not using it in our micro-kernel. We give a higher priority to tailoring OS architecture along with our security principles, which do not depend on the implementation language. More details on the approaches we use we'll share later.

Re: Malware's history and future?
by Anonymous Coward

You've been in computer security a long time, and have seen many things come and go. DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else). What's changed? What's remained the same? What about the malware creators — has their motivation changed? Where do you believe things are headed?

EK: Twenty years ago malware was a curious toy for programmers. Ten years ago it was a criminal instrument for bad guys who wanted to earn some money. Today it's a cyber weapon for governments. And that is the main and the most dangerous tendency of recent years.

Recent malware — Stuxnet, Duqu, Flame, Gauss — proved that cyber weapons (i) are relatively cheap to produce, (ii) are effective, (iii) mostly go undetected, (iv) leave their authors anonymous, and (v) can be easily replicated. And they're hard to protect against. They look like perfect weapons to some governments. In the meantime, Pandora's box is now wide open.

The most dangerous aspect of cyber weapons is their unpredictable side effects. A worst case scenario is when a cyber weapon aimed at a specific industrial object — like, say, Stuxnet — isn't actually able to accurately pick out its victim — either down to a mistake in the algorithm or a banal error in the code. As a result of such an attack the targeted victim — let's say a nuclear power station — would not be the only one affected: all the other nuclear stations in the world built with the same design would be too. Sounds scary, doesn't it? And without control from an international body, it could become more than scary: catastrophic.

As concerns home/consumer users, the defining feature of the next decade will be an enormous shift to mobile OS — and all the cyber criminals will be there already to greet them. The more financial transactions we conduct using smartphones, the more cyber criminals will target them. Future developments are likely to see more mobile botnets and drive-by downloads. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We're also likely to see more mobile botnets, of the sort created using the RootSmart backdoor.

Digital concepts young people should learn?
by davecrusoe

There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc.). But what interests me is what we should be teaching our young people (children in primary and secondary school) with respect to the expertise we wished all adults possessed. In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc.)?

EK: The most important advice I can give to young people is to always use your head. It might sound too simplistic, but if everyone who surfs online followed this rule the risks would be minimized. Don't download suspicious applications, and use social networks with caution. The largest portion of viruses is being spread with the use of social engineering, so never open links or files from unknown persons. Never ever! And even if you know the person, double check before doing so. Another way is to open suspicious files or links in a Sandbox mode.

Also, always use up-to-date quality security software. Free AV products are not a solution. Don't forget to update your system regularly. Install all the patches from the software developer and don't ignore update notifications.

By following these few simple rules you can minimize the risks online. As I mentioned, I've got standard Windows running with Internet Security, and I don't experience any problems with online surfing.

Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.

Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.

CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."

Trailrunner7 writes "Attacks against SCADA and industrial-control systems have become a major concern for private companies as well as government agencies, with executives and officials worried about the potential effects of a major compromise. Security experts in some circles have been warning about the possible ramifications of such an attack for some time now, and researchers have found scores of vulnerabilities in SCADA and ICS systems in the last couple of years. Now, engineers at Kaspersky Lab have begun work on new operating system designed to be a secure-by-design environment for the operation of SCADA and ICS systems. 'Well, re-designing ICS applications is not really an option. Again, too long, too pricey and no guarantees it will fit the process without any surprises. At the same time, the crux of the problem can be solved in a different way. OK, here is a vulnerable ICS but it does its job pretty well in controlling the process. We can leave the ICS as is but instead run it in a special environment developed with security in mind! Yes, I'm talking about a highly-tailored secure operating system dedicated to critical infrastructure,' Eugene Kaspersky said in an interview."

EliSowash writes "A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to Kaspersky researchers. Gauss is a nation-state-sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations. Just like Duqu was based on the 'Tilded' platform on which Stuxnet was developed, Gauss is based on the 'Flame' platform."

EliSowash writes "A new version of the MaControl malware has been reported in the wild. More information on the malware, its behavior, and the attack campaign is available from Kaspersky Labs, who discovered this variant. As more malware authors become motivated to attack OS X it is likely that we will continue to see targeted attacks such as this in the future. Just like with PC malware, a combination of exploits and social engineering tricks are generally the most effective; it won't be surprising to see a spike in such attacks soon."

suraj.sun writes to tell us that the 9th Circuit Court of Appeals has ruled in favor of security company Kaspersky in the recent case questioning their classification of Zango software as malware. "The court ruled that Kaspersky Lab, which classified online media company Zango's software as malware and 'protected' users from it accordingly, could not be held liable for any actions it took to manufacture and distribute the technical means to restrict Zango software's access to others, as Kaspersky Lab deemed it 'objectionable material.' Zango sued Kaspersky Lab to force the Company to reclassify Zango's programs as nonthreatening and to prevent Kaspersky Lab's security software from blocking Zango's potentially undesirable programs. In the precedent-setting ruling for the anti-malware industry, the Court of Appeals for the Ninth Circuit affirmed a lower court ruling that Kaspersky Lab is a provider of an 'interactive computer service' as defined in the Communications Decency Act of 1996 . Part of the Communications Decency Act of 1996 states: 'No provider or user of an interactive computer service shall be held liable on account of ... any action taken to enable or make available to information content providers or others the technical means to restrict access to [objectionable] material.'"

I Don't Believe in Imaginary Property writes "The folks at Kaspersky labs are turning to distributed computing to factor the RSA key used by the GPcode virus to encrypt people's files and hold them for ransom. There are two 1024-bit RSA keys to break, which should require a network of about 15 million modern computers to spend a year per key factoring them. Unfortunately, there appear to be no vulnerabilities in the virus' use of RSA, unlike some previous cases. Perhaps more interestingly, there's some debate over whether people should bother cracking it. After all, what if they were trying to trick us into factoring the key for a root signing authority? Besides, there's a more direct method of breaking the encryption: track down the people who wrote the virus and force them to talk."

SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."

Kobalt writes "A few news services are reporting that Russian computer expert, Aleksandr Gostev from Kaspersky Labs, has predicted that a large chunk of the Internet will be shut down tomorrow by cyber terrorists."

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

Tonight's Slashback brings updates and clarifications to several previous Slashdot stories, so read on below for information on the (over-stated) recall of Segway scooters, the fate of RAV AntiVirus's Linux development team, VeriSign's Site Finder, the (latest) Lindows v. Microsoft scuffle, and more.

Linux antivirus developers join Kaspersky Labs prostoalex writes "The Linux development team of Romania-based RAV AntiVirus, acquired this June by US-based Microsoft, joined Russia-based Kaspersky Labs. This transition took place after Microsoft confirmed there will be no Linux or Novell version of antivirus software. Kaspersky Labs now works on RAV Migration program for Unix/Linux users, since the company officials deem this market as one of the fastest-growing."

VeriSign must love attention. talon77 writes "Netsys is reporting that a class action lawsuit has been filed against Verisign due to their Sitefinder. It's about time."

And Anonymous Brave Guy writes "VeriSign are in legal trouble yet again, this time for handing over a domain name to a former employee of the former holder. Also some interesting tidbits in here about the impact of the sex.com case, the fact that since July domain names are regarded as property under U.S. law, and the idea that VeriSign might themselves be held accountable for punitive damages awarded against someone who takes over a domain name improperly."

Piling on, Anonymous submits: "Verisign seems to have issues with returning proper response packets for DNS queries on unused domains, so we thought we would give them a quick reminder in case they forgot what the right answer was. You can find pictures here. (This was on their building in Mountain View, and the signs said 'Verisign/Netsol, as if people didn't hate you enough already... How greedy/stupid are you? [Made with figlet/vim/a2ps/poster.c]')"

Update: 10/02 00:37 GMT by T : And (ooops!) this part got chopped off: "Note that the Verisign web search is powered by Inktomi for search and overture for ads, both of which are now owned by Yahoo. You can always vote with your dollars and your clicks."

Ohio uncappers peer at the ToS. Mike writes "Looks like Broadband Reports has posted a follow up to what happened to those Ohio Cable broadband users who had FBI agents confiscate their hardware for uncapping their modems (See original BBR story here, Slashdot story here). Looks like most of the offenders settled for fines and community service, but one took the case all the way, and eventually got it overturned because the cable company's AUP failed to clearly mention their legal stance on uncapping."

Thorn-in-side lessons, part IIXIIXV. jlechem writes "Lindows and Microsoft are at it again. Wired News is running a story about Lindows refusing to take down the settlement website reported on by Slashdot earlier. CEO Michael Robertsone stated 'Our plan is to continue to offer the MSfreePC service in spite of your threats. If required, we will be a voice in the courtroom defending a consumer's right to use technology and an online process to secure their settlement claims.'"

MPAA Scratches Oscar Screeners xstein writes "In a follow up to this story, the major studios have agreed to go along the MPAA's proposal to stop sending out screener tapes and DVDs to Academy members. The agreement would include MPAA's seven studio members, Disney, WB, Sony, Universal, 20th Century Fox, Paramount, and MGM, as well as their affiliates, which include New Line, Miramax, Focus Features and Sony Pictures Classics. Dreamworks, although not an MPAA member, also agreed to the ban. This move scratches a longstanding tradition, and is seen to hurt smaller, independent-minded movies distributed by MPAA members the most, though may allow truly independent studios such as Lions Gate to gain extra attention with their screener tapes. E! Online and Salon.com have the scoop."

Phantom Offices? Ray B writes "On September 18th, Slashdot posted about an article on the Phantom video game console. Of particular note in the primary article investigating the Phantom's founder(s), was that the company did not even have physical offices.

Just four days later, the Phantom email Newsletter #2 is issued, with the first bit of news being:

"Infinium Labs recently signed a five-year lease on 10,000 sq. ft. of prime office space to locate its corporate offices in the Centre Pointe Building in downtown Sarasota, Florida. The Centre Pointe offices are in close proximity to many of the company's early investors, its corporate legal counsel and the industrial design firm that is developing the Phantom Game System(TM) prototypes"

Coincidence or damage control?"

Well, start with the Python then and work your way up. Wolfbone writes "A recent edition of 'Global Business,' a BBC World Service programme available here in RealAudio form, contains an admission that the BBC cannot afford to put it's entire archive online, contradicting an earlier Slashdot story and the BBC's own report. Even though it only has 11.56 Petabytes of the stuff, some of it recorded on wax cylinders, it would be too expensive, apparently, to keep their earlier promise. The rest of the programme is about the more general problems of long term archiving of data and how some organizations still don't trust digital electronic formats and prefer to stick with paper and microfiche."

Segway recall: in and out in 10 minutes! ptorrone writes "I got my Segway HT updated today, the 'recall' is a simple software update, it took 10 minutes and that was about it. To clarify what the recall is ...the HTs are not being sent back, Segway has people in each state of the USA and they update them. So far all owners have been notified and thousands have updated. The update makes it harder for people to ride after numerous low battery alerts (3 people out of 6,000 thought something else). Here are my pictures from the update procedure."

Tonight's Slashback brings updates and clarifications to several previous Slashdot stories, so read on below for information on the (over-stated) recall of Segway scooters, the fate of RAV AntiVirus's Linux development team, VeriSign's Site Finder, the (latest) Lindows v. Microsoft scuffle, and more.

Linux antivirus developers join Kaspersky Labs prostoalex writes "The Linux development team of Romania-based RAV AntiVirus, acquired this June by US-based Microsoft, joined Russia-based Kaspersky Labs. This transition took place after Microsoft confirmed there will be no Linux or Novell version of antivirus software. Kaspersky Labs now works on RAV Migration program for Unix/Linux users, since the company officials deem this market as one of the fastest-growing."

VeriSign must love attention. talon77 writes "Netsys is reporting that a class action lawsuit has been filed against Verisign due to their Sitefinder. It's about time."

And Anonymous Brave Guy writes "VeriSign are in legal trouble yet again, this time for handing over a domain name to a former employee of the former holder. Also some interesting tidbits in here about the impact of the sex.com case, the fact that since July domain names are regarded as property under U.S. law, and the idea that VeriSign might themselves be held accountable for punitive damages awarded against someone who takes over a domain name improperly."

Piling on, Anonymous submits: "Verisign seems to have issues with returning proper response packets for DNS queries on unused domains, so we thought we would give them a quick reminder in case they forgot what the right answer was. You can find pictures here. (This was on their building in Mountain View, and the signs said 'Verisign/Netsol, as if people didn't hate you enough already... How greedy/stupid are you? [Made with figlet/vim/a2ps/poster.c]')"

Update: 10/02 00:37 GMT by T : And (ooops!) this part got chopped off: "Note that the Verisign web search is powered by Inktomi for search and overture for ads, both of which are now owned by Yahoo. You can always vote with your dollars and your clicks."

Ohio uncappers peer at the ToS. Mike writes "Looks like Broadband Reports has posted a follow up to what happened to those Ohio Cable broadband users who had FBI agents confiscate their hardware for uncapping their modems (See original BBR story here, Slashdot story here). Looks like most of the offenders settled for fines and community service, but one took the case all the way, and eventually got it overturned because the cable company's AUP failed to clearly mention their legal stance on uncapping."

Thorn-in-side lessons, part IIXIIXV. jlechem writes "Lindows and Microsoft are at it again. Wired News is running a story about Lindows refusing to take down the settlement website reported on by Slashdot earlier. CEO Michael Robertsone stated 'Our plan is to continue to offer the MSfreePC service in spite of your threats. If required, we will be a voice in the courtroom defending a consumer's right to use technology and an online process to secure their settlement claims.'"

MPAA Scratches Oscar Screeners xstein writes "In a follow up to this story, the major studios have agreed to go along the MPAA's proposal to stop sending out screener tapes and DVDs to Academy members. The agreement would include MPAA's seven studio members, Disney, WB, Sony, Universal, 20th Century Fox, Paramount, and MGM, as well as their affiliates, which include New Line, Miramax, Focus Features and Sony Pictures Classics. Dreamworks, although not an MPAA member, also agreed to the ban. This move scratches a longstanding tradition, and is seen to hurt smaller, independent-minded movies distributed by MPAA members the most, though may allow truly independent studios such as Lions Gate to gain extra attention with their screener tapes. E! Online and Salon.com have the scoop."

Phantom Offices? Ray B writes "On September 18th, Slashdot posted about an article on the Phantom video game console. Of particular note in the primary article investigating the Phantom's founder(s), was that the company did not even have physical offices.

Just four days later, the Phantom email Newsletter #2 is issued, with the first bit of news being:

"Infinium Labs recently signed a five-year lease on 10,000 sq. ft. of prime office space to locate its corporate offices in the Centre Pointe Building in downtown Sarasota, Florida. The Centre Pointe offices are in close proximity to many of the company's early investors, its corporate legal counsel and the industrial design firm that is developing the Phantom Game System(TM) prototypes"

Coincidence or damage control?"

Well, start with the Python then and work your way up. Wolfbone writes "A recent edition of 'Global Business,' a BBC World Service programme available here in RealAudio form, contains an admission that the BBC cannot afford to put it's entire archive online, contradicting an earlier Slashdot story and the BBC's own report. Even though it only has 11.56 Petabytes of the stuff, some of it recorded on wax cylinders, it would be too expensive, apparently, to keep their earlier promise. The rest of the programme is about the more general problems of long term archiving of data and how some organizations still don't trust digital electronic formats and prefer to stick with paper and microfiche."

Segway recall: in and out in 10 minutes! ptorrone writes "I got my Segway HT updated today, the 'recall' is a simple software update, it took 10 minutes and that was about it. To clarify what the recall is ...the HTs are not being sent back, Segway has people in each state of the USA and they update them. So far all owners have been notified and thousands have updated. The update makes it harder for people to ride after numerous low battery alerts (3 people out of 6,000 thought something else). Here are my pictures from the update procedure."

sh0rtie writes: "Kaspersky Labs and the BBC are reporting that the Fasttrack network that Kazaa uses has been hit by its first targeted worm virus dubbed 'Benjamin.' Is this a clever RIAA creation or that of a mischievous virus writer? I guess we will never know, but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic bringing more headaches for ISPs and sysadmins worldwide."

sh0rtie writes: "Kaspersky Labs and the BBC are reporting that the Fasttrack network that Kazaa uses has been hit by its first targeted worm virus dubbed 'Benjamin.' Is this a clever RIAA creation or that of a mischievous virus writer? I guess we will never know, but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic bringing more headaches for ISPs and sysadmins worldwide."

nivals writes: "BSDatwork has a review of the Kaspersky Anti-Virus package for FreeBSD. It seems to be written by an Administrator who was trying to solve the shortcomings of software like Amavis with UVSCAN. It seems to praise the speed of the software but not some of the installation information. A worthwhile read for a commercial alternative to Amavis."