Slashdot Mirror
Kaspersky's Exploit-Proof OS Leaves Security Experts Skeptical
CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."
It's on my 4-function desktop calculator. You didn't specify what the OS had to be able to -do-...
[/obligatory]
... doesn't mean that Kaspersky isn't still tied to Russian military interests. Proceed with caution.
www.chihuahuarescue.com- Help to end dog abuse, abandonment and cruelty
In other words, I know how to build the perfect henhouse. Trust me. I'm a fox. If there's one thing I know, it's henhouses...
A rigorous definition of "exploit" could be a challenge, and proving an operating system to be safe against them would be a major theoretical challenge.
So start with something easier to assess: prove whether the operating system will halt.
If you can't solve the easier problem, don't pretend to have solved the harder problem.
I can guarantee they will find a way to infect that machine.
Hello,
This is a very interesting move by Eugene Kaspersky. Speaking as both someone who has worked at an embedded systems manufacturer (VoIP telephony gear) and also as a competitor (antimalware) I know that each one has very specialized toolchain requirements and that expertise in one area does not necessarily translate to mastery of the other.
Probably more curious is the timing of the announcement: It seems an odd time for a Russian antimalware company whose founder has close ties to that country's intelligence agencies to announce a new operating system for critical infrastructure tasks, especially since the US House Intelligence Committee is tearing into Chinese telecom gear vendors Huawei Technologies and ZTE over concerns about the security of their products.
That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.
Regards,
Aryeh Goretsky
Dexter is a good dog.
This will fly right until the first exploit, after which all belief will be broken. I'm in an optimistic mood: I'll give it a year.
"It's too bad that stupidity isn't painful." - Anton LaVey
I know its not exploit proof but becoming a platinum sponsor and insisting they spend the money on code review. Then make custom modifications to remove all functionality and you should get close.
If the people buying and operating these systems really cared about security I am sure they could piece together a far more secure solution at the expense of cost and convenience from current software.
I think it would be great if he could actually pull this off. He's made himself into a huge target, though. Also, even if he does, our government would never use it, because they'd be worried about spying.
It just shuts itself down on the first attempt to use it. Just to be safe.
Thinking about it further, it might be possible if you make it totally unusable. (No you can't install a browser (are you NUTS?), no you can't download a file, no you can't run a server, no you can't do anything, get away from my keyboard you LUSER!). Should be great fun.
"It's too bad that stupidity isn't painful." - Anton LaVey
is the only way there can be an OS everybody trusts.
There are a lot of levels of trust. For a machine that doesn't handle anything secret or financial data (including personal), Windows is generally good enough, for all its long history of exploits. Even then, many, many people and organizations use it for things that are secret or financial data anyway. Sometimes they get burned that way. A Mac is (maybe) a little better. Linux is better still.
Then there's a level of trust way out at the extreme end. If the secrets are serious enough, you can't trust the system you built it yourself from source and audited every single line of said source. Since hardly anyone can do that, having it audited and built by people you trust (in the case of the government, the NSA, for example) has to due. If it's even more sensitive, the network, or maybe even the machine, should also be air-gapped.
If you have a sensitive use case such as, oh, I don't know, running centrifuges to enrich uranium, should you trust a binary OS that wasn't built by your people to be either secure against exploits or to not be already trojaned? Of course not. Just ask the Iranians. Or the Russians themselves, who had a little refinery trouble during the cold war because of that.
In such a case, you either want your people writing the code, or at least very carefully auditing every single line of the source, then building the binaries from that code. If you don't or can't, especially in the case of embedded systems, you cannot have any confidence that software is even secure against exploits, let alone that it won't turn on you.
Many modern operating systems, from Linux to BSD to yes, even Windows, can be quite secure if you use them responsibly.
The problem is that very, very few people know anything at all about how to do that. Even on slashdot, you have people defending terrible insecure practices because "it's easier". As long as people value the ease that comes with not-thinking over security, there can be no exploit-proof OS.
1 - The cold war is over. Capitalism won (not democracy).
2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.
I'll see your Constitution and raise you a Queen.
If it's man made and accessible, it's exploitable.
Thinking otherwise is foolish.
Visit the Arcade Restoration Workshop @ http://www.arcaderestoration.com
Slashdot headline: 'Russian is Russian'
Thanks for underlining the mistake. It's impossible to miss that way.
Although improvements can certainly be made, it's simply not possible to make a useful computer totally exploit proof,
This is because ultimately, the PEBKAC.
It is possible, Kaspersky wrote, because it will not be something for the masses, but, "highly tailored, developed for solving a specific narrow task, and not intended for playing 'Half-Life' on, editing your vacation videos, or blathering on social media."
Odd, I thought blathering was one of his favorite past times! :-)
Something in me thinks that we've been down this path before....
It all comes down to who's watching the watchers....
Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?
If you have the source code and the policies, both of which can be externally audited, how can you (As an external person) screw this up?
I remember back in the old old Solaris days dealing with buffer overflows in the driver stack to get remote root, but those days are gone, you would never get that permission to access that executable, let alone open a socket.
If you've got SELinux + policies it's here and it's here now.
Just in case you think this is a pro-Linux rant...
Microsoft have spent a truck load of money on "trustworthy computing" to find new exploits, to the extent that they have honeypots to find new stuff for back testing.
They don't have a watchdog yet, they've started with Windows Defender, but that's nowhere near low level enough yet, and the whole anti-competitive landscape, plus developer buy in (And unfortunately a lot of devs don't know exactly what they're really doing) makes it difficult to say the least. They are still a couple of OS released away from making it work.
Curiosity was framed; ignorance killed the cat. -- Author unknown
I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?
And why is the hacker scene so big there?
That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.
Regards,
Aryeh Goretsky
"I have little experience but trust him". Why? Considering this article specifically questions the integrity of his ability to be partial, you should say why.
And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in alengthy profile forWired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.
Can you as a business trust ANYONE who says stuff like that to protect your critical infrastructure/production lines?
Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...
"It's such a simple system though! Surely it's limited to it's base rules, isn't it?"
The qualifier at the end of your statement is a major problem if you mean you'd be afraid to use it because you personally have something to fear because you are a competitor, and therefore might be a target for maliciousness from him. I suspect you meant you can't because you must eat your own dog food, so to speak, but I think the first interpretation is more important. If you even might have something someone else wants badly enough, there are ways to make it happen. So the OS you use is exploit proof? Then they make the maker of you OS build an exploit into it. Either by legislation, or blackmail, or threats, or traitors, there's always a way.
Bull (bull shyte)
The most secure modern operating systems you can get are OpenBSD or FreeBSD. They are based on stable mature open source, and don't have the bloat and featureitus problems of Linux.
--libman
follow the "Ferengi Rules of Aquisition". That way the only thing that's exploited is your wallet.
Mod me up/Mod me down: I wont frown as I've no crown
"Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran"
I'm worried by this blurring of distinctions in the historical significance of the two events. Whatever your political persuasion, Pearl Harbor was a de facto declaration of war. It was a strike against a military target carried out by a true nation state. The "9/11" terrorist attack was something else. It was carried out by an independent group that at worst can be described as being in an alliance of convenience with some foreign government.
By confusing our figures of speech for two clearly different types of cyberattacks, the danger is that the same counterattack methods will be used for both. Treating "9/11" as an act of war, and not simply as a well-coordinated distributed terrorist attack, led to a trillion-dollar War on Terror. On hindsight did it make sense to send out a nation's armies to deal with a few hundred suspected terrorists? Wouldn't it have been better if the intelligence agencies dealt with the issue, resorting to large military strikes only when the intelligence and situation warranted?
So now will the hometowns/countries of suspected Anonymous members be the target of the same massive disruption of IT services that US would launch in retaliaton for a supposed cyberattack from Iran or China?
One way I know of to be "reasonably" secure would be to have the OS totally in ROM. Malware infections will still occur, but since the entire OS is read only, any infection would not be able to survive a re-boot. Every time you turned on the computer it would be clean. I think this would be an ideal Internet appliance for non-techies or those who just want to visit web sites, do email, play on-line games and stream video. Not quite a "dumb" terminal, but darn close. It would suffice for probably 98% of what I do on-line.
Only major problem would be on-line retail, even a temporary infection could steal your VISA number. I don't have an easy fix for that one.
Really, the definition of "secure" should be "enforces a specific policy with high assurance". High assurance comes from a rigorous development process, code review, testing, etc. For the highest levels of assurance, per the ISO/IEC 15408, there must be mathematical proofs that the implementation conforms to a mathematical model of security. If done this way, it doesn't matter that "any computer powerful enough to be interesting is powerful enough to do [other things]". The point is that the computer can be shown, with high-assurance, to do only what is intended.
I haven't seen any details about how Kaspersky intends to create his secure system, but, if it has any chance at all of success, he'll have to use the well-known principles prescribed by the ISO standard (and older standards, like the old US DoD "Orange Book").
Exploit-Proof was one of the main requeriments of OpenBSD when it started 17 years ago.
Many trust Google and one of them came from the Soviet Union as a child. Kasperski is after malware. Google is after yours and everyone else's data to serve them rich media ads, which I personally consider to be a system compromise risk, thus malware.
While it would certainly be nice if this claim were true (I doubt it is), social engineering is a bigger problem and one that, one would think, we could see more benefit in working to eliminate than the benefit we might see from buying some outrageous claim.
I do not respond to cowards. Especially anonymous ones.
Deducing whether the code is safe or not based on the authors' nationality or background is just ridiculous.
To claim that anything is exploit proof requires a level of arrogance and/or stupidity I hadn't thought possible outside of government.
In the last interview with Wired magazine (http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/), Eugene Kaspersky was advocating securing internet (or a part of it) with something alike state issued IDs. No ID -- no internet. That made me very skeptical, what would it take to use someone else's ID, there might be a new market for such IDs. Not sure his ideas of having the secure OS would work either. From the article:
What is mentioned is Kaspersky’s vision for the future of Internet security—which by Western standards can seem extreme. It includes requiring strictly monitored digital passports for some online activities and enabling government regulation of social networks to thwart protest movements. “It’s too much freedom there,” Kaspersky says, referring to sites like Facebook. “Freedom is good. But the bad guys—they can abuse this freedom to manipulate public opinion.”
There's no such thing as "illegal download"
This idea that we could build a magical "exploit proof" OS if only we want to bad enough is stupid. While some exploits happen because of stupid design decisions, far more happen because of simple unintended consequences.
With an OS you are in the difficult position of needing to offer access but trying to keep out unauthorized access, and to do so in an ecosystem of arbitrary software on the system. That's a real hard problem to solve. Any time you build a door, it can be used for both wanted and unwanted visitors to enter through.
So sure, you can completely secure something by completely securing it from being accessed, but then it isn't useful. If you want to have an OS that connects to the Internet, which is totally wild and untamed, and you want to be able to have end users install arbitrary software, and you want to let it be used in arbitrary ways, well it'll be open to exploits. Design as carefully as you like, something unintended will pop up at some point.
The more you lock it down, the more secure it'll be, but the less useful.
There's no magic bullet, were there, it would already be in use. It is all tradeoffs. That's why some systems that need to be really secure are in a situation where they can only run verified code, and they are not on public networks and can only be accessed in specified ways and so on. Even that isn't perfect, just better.
People need to understand that digital security really is like physical security: There is NO perfect security. There in only defense in depth, practice monitoring and mitigation, and eternal vigilance.
OpenVMS. Severe security. Very much proven. Its here and ready to rock. How could a russian anti virus maker possibly create something from scratch that rivals VMS or SELinux? It would take his company many many years and take some serious brain power to solve a problem THATS ALREADY BEEN SOLVED.
Super secure systems exist. They are (nearly) attack proof. They just aren't Windows.
What is his market? Those who need this level of security HAVE IT. The NSA isn't going to run out and buy his stuff anytime soon.
In theory? Yes. Without oversight or public code review?
Heh. ...
Wait, you were serious?
exploit-proof OS
No OS can be exploit proof if is an algorithmic system, i.e., a Turing machine. Why? Because time is not an inherent part of the Turing computing model. The most important part of a secure software system is timing. No system can be reliable and safe unless it provides a deterministic way to impose which operations should occurr concurrently and which should occur sequentially.
Kaspersky's OS will fail miserably unless he reinvents the computer such that the timing of operations is deterministic. With a deterministic system, it's easy to detect intruders and malfunctions because every intruder and bug will invariably mess up the expected timing and trigger alarms created automatically for that purpose.
But in order to properly reinvent the computer, Kaspersky must first solve the parallel programming crisis.
F.U.D.
As a child of the 70's and 80's, that combination of words still seems weird to me, it still strikes me today as a bit of an oxymoron.
What's a Star Wars force field? I've heard of Star Wars deflector shields but never any mention of force fields. Perhaps the author was thinking of Star Trek.
I think we all know that the Death Star shield was not impenetrable... All it took to take it down was a small group of rebels and a clever social hack (aka, "we've got the rebels on the run, sir!")
No sig for you! Come back one year!
There is a difference you you know. Not that it would change who you bomb though.
Doesn't seem like odd timing to me at all. By all accounts the US, possibly along with Israel, have launched attacks on civil nuclear infrastructure of Iran, infecting Buhsher plant along with other locations. Who knows what MAY have happened when nuclear equipment goes on the fritz due to cyber attack. AFAIK, initiatives towards Russian OS have already been initiated for smartphones for Russian government employees, as well as interest in backing other general purpose OS. A secure OS for critical infrastructure would only make sense.
As someone who's known Aryeh professionally over many years, I do know that he's well qualified to make these comments.
While I've never worked for a competitor, as he has, I have been at times extremely active in the antimalware circuit and do trust Kaspersky software. They're good people, and smart as hell, just need to work on improving their products some.
That aside; Hey goretsky, long time no see :)
You will be baked, and there will be cake.
Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?
SELinux wasn't intended to be highly secure. It's an add-on to Linux, after all, not a new OS. The purpose of SELinux was to get a mandatory-security system out and widely used so that applications would be written to run under tight restrictions. Read what NSA originally wrote about it.
A big problem with secure operating systems is getting applications to run in a secure environment. That means saying "no" a lot. No, your game can't find out what else is running. No, Photoshop can't snoop the LAN for other instances of Photoshop with the same serial number. No, you can't run code in a spreadsheet attached to an email. No, you can't have a browser which has pages from multiple sites in the same memory space. That's what it means to have a secure OS.
The hope of SELinux was that applications would gradually be rewritten to run under tight restrictions like that. It didn't happen.
Look how much whining there is whenever Microsoft tightens up Windows. Users will choose ad-supported games that phone home over security.
What he's saying is he wants to limit the traffic to critical infrastructure much the same way you are required to have a ticket to board a plane. That system keeps lots of unwanted people off of planes, and while some bad apples may still board, many, many, many more do not. That is exactly what you want from a security standpoint--not a complete lack of restrictions.
Russia and Russian firms probably have as much reason to want to build truly secure systems as the US does, and let's put our cards on the table here: No one should trust the US to make truly secure software anymore than they should trust the Chinese. If their parts didn't come from China, you still have a government that can't help but keep it's dirty little fingers in everything. Even the open source movement isn't safe. Even discounting the possibility that a corrupt entity infiltrates a team, a corrupt entity is free to fork code almost on a whim without oversight or authorization, and they can use techniques used in the obfuscated code contests to make their malware look legitimate.
So, maybe you can keep pretending to know something about security, but I certainly won't trust what you say about it.
title says it all. I don't even understand how the news can be expressed this way on /.
If you accept a closed source, get yourself a Blackberry Playbook.
With signed bootblocks and full disk encription, it's definitely unbreakable, an appliance indeed. Lost it, buy a new one, reload all bought apps for free, reload file backup and just forget the thief.
When comparing to what I had to do when we were stolen our last Mac, it's really like living in a different world.
Then it's still closed source.
I have one, while patiently waiting for the first Linux tablet.
Allow me to explain further. My direct interaction with Mr. Kaspersky has been minimal—it has been several years since we exchanged emails. He is the CEO of a security firm that clocks in at a sizable fraction of a billion dollars, and I'm a researcher at a smaller competitor. On the other hand... I interact professionally with his researchers on a regular basis and we all go to the same conferences and so forth so there's more face time at that level.
From everything that I have seen, we all want the same thing: The ability to use our computers safely without fearing malicious activity on (or towards) them. Now, the means towards that end may differ, and I would imagine our sales and marketing departments probably don't care for each other much, but at the end of the day, I would say pretty much all of the antimalware researchers that I know in the industry want that to happen.
Regards,
Aryeh Goretsky
Dexter is a good dog.
Why don't they build upon sel4 from Open Kernel Labs (which has just be acquired by General Dynamics). sel4 has already been mathematically proven to be secure.
I do indeed avoid running or even looking at any competitor's antimalware product. A large part of that (the largest part, as a matter of fact) is because I believe my employer's software is the best. After all, if I did not believe that, I would not be working for them, would I? But the other part is because I have been deposed in numerous patent lawsuits over the years, and the last thing I want to do is get dragged into another one because of something I did.
I hope that explains things with sufficient clarity.
Regards,
Aryeh Goretsky
Dexter is a good dog.
If he seriously wants to brag about his exploit-free OS, let him put it out there in the world. Better yet, let us look at the source. Anything else is just words. Let's see the code.
... the real reason is you can have computers delay and analyze all incoming requests then pass the data on to the 'real computer' or you can keep your computers off the net and whitelist what it can communicate with. The only failure being the human element (who has access to your computers).
You can have high performance or tight security, pick one. The more "secure" you make a computer the more time you spend in observing and analyzing requests.
The range of comments left on this thread provide insight into just how miserable the "state of the art" of secure computing has become. Its sad that practically none of the comments here reflects what research was done in the 60's, 70's and 80's to consider whether it was possible, and if so, figure out an approach to accomplish it.
The goal of the effort that led to the Trusted Computer Security Evaluation Criteria (TCSEC) was to figure out a way for the U.S. Department of Defense (the NSA) and intelligence agencies to buy software and computers from the KGB, and to be able to trust they were secure for use to manage the cryptograhic keys and control systems for the nation's most precious secrets (think ICBM launch codes). The fact is, they knew that's what they were doing, at the time - because there was no way to know what manufacturers and developers in their supply chain had been infiltrated by the KGB. The question was not whether this vendor was good or bad, but whether computers could be used securely (with confidence they were secure) at all.
The science recorded there, in the Rainbow series, is the codification of much or most of the knowledge, methods and processes necessary to create verifiably secure systems that are useful and perform valuable work.
Reading that, some will immediately start talking about "secure bricks". Go ahead. In today's world of commodity computers, your first challenge is to figure out if your computer is ever actually inert. If some one else on another computer somewhere can flash your BIOS or update your OS while your machine is turned off, just what do you think you're secure from? Today's commercial computer industry has grown up with deliberate ignorance of, and total lack of customer interest in high assurance security. I know because I came out of that industry.
Yes, the need for Trusted Hardware was addressed in the TCSEC. That's where "Beyond A1" would take you, to A3, if you will. In the absense of that, don't run hardware that creates a haven for autonomous, untrusted software to have unimpeded access to your system memory. Like video cards with graphics accelerators that can bypass hardware memory managers.
Note well - I'm not saying you can't use graphic accelerators - I'm saying you shouldn't use ones that deliberately bypass every attempt to use hardware security features you put into place to enforce security. Or, build your accelerators on chips that can be built using verifibly secure (from deliberate subversion) foundations.
There is a large, influential cadre who believe that the only way to secure data is to encrypt it using custom-made hardware.
As a result, the manipulation of unencrypted data has been left to the commercial market place, whose developers really only wanted a flat address space everyone could share.
Case in point - the (in)famous argument with Linus Torvolds over monolithic vs modular kernel architectures.
Assume:
1) that you aren't (for whatever reason, not necessarily that you're a fucktard and a pompous ass) able to get a job at the better firm, and
2) that you have bills to pay.
It follows that yes, you would.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
... how an eploit-proof OS could be possible, not whether to trust Russians or not.
I am disappoint.
I've met the guy, and he's one of the few who doesn't play ball in the intercept world of "please don't recognise our code as a virus so we can listen in. We're the good guys, honest".
What I see is a lot of conjecture that what Kaspersky is doing cannot be secure because of reasons that have zilch to do with the code in question.
It is very simple: if you want to use it, you will have to have it evaluated by people YOU trust. Stop with the political BS, that has nothing to do with the security of the platform as you evaluate it, only with what you should do with bugs, updates, patches and upgrade (because your eval is only valid for the software as is).
So, get a evaluation company that you trust. If you think you cannot trust something that's foreign, then don't use it. But don't try to tell others it's unsafe because you have no proof.
Facts count. BS doesn't.
Would *I* use it? If I could use and it passed my own audit, why not?
Insert
I confronted the problem of trust when evaluating PGP for private use. How could I be sure that PGP wasn't a ruse sponsored by the US government?
PGP was supposedly written by Phil Zimmerman, a counterculture hero. It's authenticity is vouched for by numerous institutions and academics.But I don't know Zimmerman personally,nor am I familiar with those institutions, nor do i know those academic names personally. On the other hand, i do know that criminal confidence men easily build up phones web sites mimicing trusted financial institutions. They can also easily mimic phony certifications and endorsements from trustworthy people. How could I know that the whole PGP thing wasn't a ruse? Believe what I read on Slashdot? Not on your life.
I concluded that there was only three ways for an individual like me to acquire the trust.
1) invest a whole lot of my time to investigate the certifying institutions and the endorsing academics to verify that they are real and trusted. Then, contact each of them to verify that they really did supply those certifications and endorsements. In other words, iinvest a huge amount of my own time on original research.
2) Find an unimpeachable source of trusted endorsements and certifications that has an unshakable way to communicate with me. In other words, trustworthy. I'm not holding my breath on that one.
3) Believe in the "too big to keep secrets" theory. Huge companies like Microsoft, Apple, and Google have so many employees and so many detractors that they are unable to keep dark secrets. If I use their products and I am careful to avoid getting phony copies of their products, I may feel more secure.
Since number 3 is they only option that works for an individual with limited resources, that's what I do.
Anyhow, the whole thought exercise made me realize the real truth. For end users, cyber security has very little to do with technology. It is almost entirely an exercise in trust.
Weren't they the ones who said they would not flag up the USA secret services keylogger as a trojan/virus, McAffee?
Really. The only problem here for slashdotters in the USA is that this guy may not be beholden to the USA's law enforcement.
If 1 and 2 were applicable, then it also possible that the person could be unemployed. There would be consequences for being unable to pay bills, of course, but they would still not be working at a place that they believed was not the best, which is what the GP had asserted.
File under 'M' for 'Manic ranting'
Given the uber-paranoid viewpoint of the Dept of Defense on things computer, does anyone know if Kaspersky's AV is not allowed on DOD computer systems? Not that the guys/gals running DOD cybersecurity are perfect and on top of things, but the are paranoid enough to be worried about KAV if they see K's involvement with the Russion government and/or crime syndicates as a potential problem.
Next time READ the post you are replying to. He said the same thing you're saying (except clearer).
For a given program, there MAY BE a way to determine if it halts. Some programs obviously don't halt, and some obviously do. There are many useful programs that fall into one or the other of those categories. There are algorithms that can prove one property or the other, for some classes of input program. There's just no possible algorithm that can solve this problem (proving that it halts or doesn't halt) for EVERY PROGRAM.
/me waves @ AJ :)
Dexter is a good dog.
Hello,
Well, I don't think there are currently any better firms than my employer in the industry. Come to think of it, Kaspersky Lab is probably the closest thing we have to a direct competitor, at least in terms of researchers.
Regards,
Aryeh Goretsky
Dexter is a good dog.
...that Kaspersky's PLANS for an exploit-proof OS leave experts skeptical. Or maybe, his "ambitions" or even "promises". At the moment, there's no actual OS to be skeptical of.
That the article questions his integrity doesn't mean anything. I have read lots of articles questioning Obama's birth certificate and when you just want to smear somebody, it doesn't take a genius to figure out what's going on.
First, all Chinese companies have links with government, now Russian companies have links with their government. And they want you to believe that there is some sort of plot behind this. It's like talking crap about Google or Microsoft because they work with (not for) the government. I really thought we were over this propaganda bs, but as long as the Pentagon needs funding, we will always need to create new enemies.
Even if you get the source, can you trust your compiler?
/ The Arrow
"How lovely you are. So lovely in my straightjacket..." - Nny