Slashdot Mirror
Interviews: Ask What You Will of Eugene Kaspersky
Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.
I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?
My work here is dung.
Sorry could not resist :)
Related, have you ever tried bath salts?
Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won’t allow an intruder to gain control over it or to run malicious code.
Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.
My work here is dung.
Did... your special relationship with Russias former KGB help secure your son, or would any Russian have received that promt service?
The link in the summary is invalid. Here is the correct one:
http://eugene.kaspersky.com/2012/07/25/what-wired-is-not-telling-you-a-response-to-noah-shachtmans-article-in-wired-magazine/
Learning HOW to think is more important than learning WHAT to think.
You plan on making a secure OS for for industrial/infrastructure systems do you plan on basing it on preexisting open kernals, BSD, Linux, Haiku, Mach. Will it be a Unix/Posix like? will it be a monolithic or micro kernal? or are you think of more of hypervisor that host and monitor the guest os for the scada systems?
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc).
But what interests me is what we should be teaching our young people (students, in primary and secondary school) with respect to the expertise we wished that all adults possessed.
In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc)?
--Dave
O.J. Simpson is innocent. They did it.
Hello. Love your product.
Can you tell us anything about your work with the KGB? Did you work in operations, or support?
Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organising resistance and circumventing censorship or oppression. In light of that. have you modified your views on the "Internet ID"?
What's the easiest way to wipe all the Kaspersky bloat/trial/crapware from new Windows machines?
According to Wikipedia, Natalia Kaspersky, former CEO and co-majority shareholder of Kaspersky Lab released a statement supporting Russia's interest in a countrywide firewall similar to the Great Firewall of China. The definition of 'malware' I most prefer is "Software that is intended to damage or disable computers and computer systems." I see implementations like countrywide firewalls to be little more than disabling computers and computer systems by limiting their ability to connect to other computers. Would you care to comment on why government malware is okay or even desired? Would you care to refute Natalia's position that appears in Kaspersky Lab's Wikipedia article?
My work here is dung.
Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.
This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.
Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.
In a small Latin American country like Belize. You've gone on the run, the police are hunting you and your options for escape are coming up short. You've started a blog to discuss your situation, but no external entities have helped. What's your next step?
-- John
Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.
For a life of adventure? It seems to be the in thing for writers of AV software these days.
"To those who are overly cautious, everything is impossible. "
your favorite brand of vodka?
Everything is better with chainsaws.
Received it today:
...
...
Description: VAIO S Series 15 Custom LaptopComponent: 750GB (7200rpm) hard drive
Component: 3rd gen Intel® Core i7-3632QM quad-core processor (2.20GHz / 3.20GHz with Turbo Boost)
Component: NVIDIA® GeForce® GT 640M LE (2GB) hybrid graphics with Intel® Wireless Display technology
Component: Windows 8 64-bit
Component: Internal lithium polymer battery (4400mAh)
Component: Kaspersky® Internet Security (30-day trial)
Component: Black
If you're in favor of "mandatory internet ID" as the summary says, what form should that take? I have been an advocate of fixed IP addresses for everyone, but would something like that be sufficient? I realize there may be issues with mobile devices, but in principle does a fixed IP come close to what you're in favor of? Or is it something much more complex?
Does Kaspersky have a relationship with the Putin administration or the FSB?
Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus?
Should a security minded person be concerned with the geographic origin of security software?
2 reasons:
1. Existing solutions haven't really been tried, especially in Windows.
2. Every computer owner must have the freedom to run software of his own choice.
Of couse, #2 is going away anyway, with the proliferation of the walled garden.
By your definition, what firewall isn't malware?
One of the threats I expect to see more of is in the vein of Ken Thompson's hack, where a compiler (or any other build tool) hosts a trojan and infects other programs it compiles (or links, assembles, etc.) practically undetectably. With open-source software taking an ever-more-vital role in the Internet's core systems, will this kind of attack be easier to detect (perhaps due to the widespread availability of still-clean compilers), or more difficult (perhaps due to the wide network of trusted developers)?
You do not have a moral or legal right to do absolutely anything you want.
Mr. Kaspersky are you safe?
Your operating out of the same country that has a ton of botnet operators and raking in some decent dought with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.
There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?
Wearing pants should always be optional.
I was surprised that companies don't rig the install disc to be self booting anymore Why is this??
would not be a problem but an updated bootable copy seems to be either Vodoo or in the form of download a full copy every time
Any person using FTFY or editing my postings agrees to a US$50.00 charge
By your definition, what firewall isn't malware?
The ones that allow a user to configure them as they please. Once that level is abstracted, it's under someone else's control and is limiting and disabling user desired computer interaction. Everyone should run a firewall, no one should be subjected to another man's firewall.
Does mr. Kaspersky still think that tracking everybody's every move (which is the inevitable result of "internet ID") is a reasonable approach to curbing a relatively small (as in tiny) percentage of bad apples, seeing how that so far has yielded zilch results in other fields (airport security theatre), and whether the costs, not just in financial terms but also eg liberty lost and foregone (persecution, panopticon effect) are worth it, in the long term?
Posted anonymously, while I still can. Please do try and convince us that we oughtn't be able to.
Speak , memory.
You seem to support the "Internet X" meme where X is whatever we have in the physical world. ID, passport, voting, interpol, perhaps others. Why?
I mean we are all techies here, OK, so we don't have to act all "marketing" with each other about our new "selling dog food over the internet" patent and so forth.
I've got a perfectly good ID in the physical world that I share with amazon.com called my postal addrs and my CC number, and we're both perfectly happy with that situation. I've got a perfectly good paper and ink passport for crossing international borders, an internet one seems pointless. I/we have an Interpol who already handle crime about as well as any multinational police force could ever hope to, so I'm unclear what one on the internet would do that the real one isn't already fully responsible for. I have a perfectly good voting site 2 blocks from my house where I can vote in person using optical scanned ballots in perfect safety for like 12 hours on voting day, with no intimidation, and very limited to non-existent corruption because there's both a paper and ink ballot and an instant optical scan, what needs fixing about that or moving to the internet?
You've listed some things that have evolved over time to, basically, work pretty well. What is the point of lets replicate that "... on the internet"? Wouldn't we be all better off if we just improved the real Interpol, instead of making a second shadowy clone? Or improved voting, not just "add internet voting". Or improved ID, not "add another form of ID to be stolen"?
Or looking at it another way, why not "Internet X" where X is stuff that doesn't work. Health care. Taxes. Politics. Debating.
I don't see this as a strictly financial self interest question, for example you can probably make as much dough, or more, selling to the real Interpol as selling instead to a shadowy secondary clone. What do you care what the name on the invoice is?
From a techie perspective I/we see this as weird. Say my video card is getting slow/flakey. I could fix the one I have by blowing the dust off the fan, but, naah I'll get a shadowy secondary video card that is a mystery and not nearly as debugged, and try to get them to work in parallel... No that's just now how techies work. We know better.
So why "Internet X"? Not just "improve X"?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Would Kaspersky labs release a detailed document on Shylock malware, what it does, infection rate and so on?
criticized for ties to the current Russian government.
You'll have to give me a break because all the links WRT this topic in our provided summary were 404 when I checked a couple seconds ago, so if I mischaracterize anything then its all timothy's fault.
Anyways WRT to corp govt relations, I'm guessing the model of the disagreement is:
In the US the corps completely own and control the govt and no other groups or individuals have any input or control over the govt, and we expect everyone else to live that way, but in .ru, the relationship is not quite as centrally controlled or cozy, more or less. Is it that simple or is there more to it?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Many pieces of software and hardware used in Healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?
Given the the long established history with reference monitors and Class A1 design, will your from-scratch OS follow TCSEC (Orangebook) guidance so as to provide verifiable assurance that no trap doors or Trojan horses exist in the code? If not, what is your approach, instead?
Mr. Kaspersky,
Who is winning the Cyberwar?
Do you think you've got a chance at selling your ICS software to Americans? Don't you think they'll be hesitant to buy it?
Give the long established practice in high assurance computer systems design to use segments to represent base-level security objects (so as to maximize alignment of hardware-enforced security policies with promised protections of the objects), will your new OS design rely on segments to represent security objects, or if not, what hardware abstraction will you use, instead?
What do you think of the way western countries have treated Huawei products? Most people agree they are inferior products, don't you agree? Do you feel Kaspersky has received similar treatment?
Is there a question someone could ask you that would likely result in your death if you answered it honestly?
Your move?
http://theinvisiblethings.blogspot.com/2012/09/introducing-qubes-10.html
* Since I understand you are looking to design a secure Operating System of some sort, have you see that lady's ideas that are a work-in-practice already?
APK
P.S.=> Do you plan to use a similar design?? apk
Dear Mr. Kaspersky,
I have long thought that malware detection is a fool's errand: it seems incredibly difficult, if not possible, to write a detector for "bad" software when "bad" is not precisely defined. Furthermore, it seems that identifying malware requires computation at least linear in size to the data input into the system (since that's where one often looks for malware), so it does not seem to be a scalable solution. In my opinion, there are better approaches to security that are more worthy of time and effort: creating usable but strong access controls to compartmentalize software/data on a system being one, and creating compilers that can harden executables from attack as another. I think that malware detection has taken too many resources away from more profitable defenses.
Do you think that there is some value to malware detection that warrants attention to it instead of other techniques, and if so, what is that value?
Oh sorry, it's because AMA (TM) is owned by reddit.
Any comment on these allegations?
How important will the process of choosing a "language-based system" be to ensure the security of the operating system (OS) you envisage? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from, Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-named Midori) .
You've been in computer security a long time, and have seen many things come and go.
DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else).
What's changed? What's remained the same? What about the malware creators - has their motivation changed?
Where do you believe things are headed?
I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you offer a version of your products that identified and disabled this spyware?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
What brought about the move to sponsor the Ferrari Formula One Racing team in 2011 and 2012?
Of course, malware is making him rich and famous, how could it be otherwise.
Other things E.K. loves: poorly conceived O/Ses ; lack of education in users ; and the status quo in matters of computer security.
I'm personally convinced that anti-malware software is a useless hack. Without it, we would have moved away long ago away from easily hackable systems.
It's well known that the K in Kaspersky stands for KGB. How tightly are you currently coupled to Russian intelligence, and what services do you provide to them?
What arm of the Russian mafia did you send to whack John McAfee's neighbor? :-)
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
When Stuxnet originally came out, Symantec provided some amazing research. After Stuxnet, they have been amazingly silent on subsequent threats like Duqu, Flame, etc while your Russian company has provided details. Do you know why Symantec went silent?
This is kind of a two part question. Or more like one statement and one question.
We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OSX, they get a bunch of home computers and some audio visual professionals.
Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc) is written in Assembly, do you foresee any tipping point coming where OSX will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and wide spread deployment of Windows?
Are there any grounds to allegations that antivirus companies may be involved with creating malware, as a form of job security?
Bow before me, for I am root.
While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g. run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Isn't this what vista started? Where it asks if you allow said program to do xyz?
A better interface to lock programs down would be nice.
I think it was Core Force software that used a white list approach. It was extremely complicated to setup but I remember having to give permissions to programs accessing the registry, internet ports and sites and directory access. I never could get it working with all the programs I used but nothing ran default. I might want to try it again on my xp vm I use for netflix.
[Introduction] (My apologies for the long introduction to the question, but Slashdot only allows one!)
Mr. Kaspersky,
In the 1970's, following an Arab enforced oil embargo on Israel, the United States found itself a midst an energy crisis. President Jimmy Carter educated America on the Energy Crisis, warning that the issue could escalate into a national crisis, and equating the energy crisis "the Moral Equivalent of War." President Carter outlined 10 policies which touched on reducing demand through conservation, pushing for "predictable and certain" governmental policies, creation of a Strategic Petroleum Reserve, and development of new sources of energy.
Fast forward to the 2010's, and America is in a similar economic condition. Unemployment is rising, economic rebound is uncertain, and inflation all but inevitable. I see the US government pointing fingers of blame at "China" (as if all Chinese hackers represent their state) targeting security vulnerabilities of private and public US companies' databases, which often hold valuable, private information on US citizens. I assume the US government either funding or assisting in the development of malware as a Tool for International Policy. The economic incentive towards hacking continually increases, yet no few steps are made to prevent it.
[Question] Imagine you are President (any country in general, not necessarily the United States) - what policies would you put forward to curb this Security Crisis we are entangled in . I've read some snippets about the 'internet interpol' and 'internet ID,' but I'd like to offer you the opportunity to put forward a short, detailed plan (perhaps 5 or 6 bullet points) towards combating this Security Crisis. If you want to change any past statements, or add a little more substance to them, feel free.
[Post Statement] I hope your own opinions have more sustenance than immature, ultra-libertarian view that government's role is to shrink into nonexistence, ridding the world of its evil. I understand the government is both extremely powerful, yet also inefficient in some cases. I like government, but only when the correct checks and balances are in place.
No trees were killed to send this message, but a great number of electrons were terribly inconvenienced.
Mentions of Ken Thompson's Reflections on Trusting Trust should also mention David A. Wheeler's "Fully Countering Trusting Trust" which provides a means of identifying and resolving a malicious compiler.
Where it asks if you allow said program to do xyz?
For values of "said program" being useless and "xyz" being completely useless. You might as well say:
Every single time I get this prompt its because a program "asdfjlajeklfefeklagjles.exe" wants to write to my drive somewhere. Where? Damned if I know. The warning for running something I downloaded from the internet is far more informative, especially if the app was signed and it can tell me what the fuck it is rather than a useless gibberish exe name.
With your experience in malware research. What percentage of malware in use today do you see as being from criminals vs how much is from rogue governments such as China or the US and how do you see that percentage changing over the next ten years? Technically two questions but they are deeply related.
Why did the 2012 version get so unbelievably bulky and slow when everyone knows that has killed dozens of antivirus products in the past? At the same time, the kings of bulky and slow, Symantec, improved their product so much it's not virtually the fastest. My shop would never carry them because I hate them to an unbelievable degree but now we don't carry Kaspersky either. It's just too detrimental to performance. What happened?
Is it true that anti-virus companies make virii? Have you ever heard of such a thing?
Mr. Kaspersky,
Your position running a leading high technology company out of a former Iron Curtain country gives you a unique perspective combining a deep knowledge of information technology with a deep local knowledge of the strengths and weaknesses and possibilities in the largest country in the world. Please spell out for us how Russia could become the dominant country in high tech by the end of the 21st century, displacing Silicon Valley, by making the best use of various local strengths. Please focus your answer on educating us about the resources which Russia has in it`s people, it`s institutions, and it`s society. This is not a question about whether or not this will happen, but a question about what things exist today in Russia in an early stage which could lead to a great leap forward if they are managed correctly.
I believe that Russia is unfairly characterized in the English language media by journalists who do not really understand the richness and variety of the that they are writing about. Please enlighten us.
In a world that is so full of "badness" ( virii/viruses , trojans, worms , exploits, malware, galore ) , and where you can just as easily buy a toolkit for making your own "badness", there's more badness than there is "goodness" these days! ..... Why on earth do all the security and anti-virus tools still "enumerate Badness"? ( *1 ). It's one of the The Six Dumbest Ideas in Computer Security!
Please can't we just have a piece of Anti-Virus software that simply prevents *everything* from running, unless you say otherwise? Then all we need to is "be smart" about what we *allow* and when , not constantly have to update the list of what we *deny*.
Reference:
*1 - enumerating badness , and the ""The Six Dumbest Ideas in Computer Security" . http://www.ranum.com/security/computer_security/editorials/dumb/
Hello,
If there was one piece of behavior you could change in home Internet users, what would it be?
Regards,
Aryeh Goretsky
Dexter is a good dog.
How will your business model change if Linux became dominant on desktops as it has for tablets?
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Considering the level of suppression and corruption at all levels in Russia (as compared to EU), how can you guarantee your customers safety when many International businesses cannot justify operating in Russia.
Most commercial AV software is pretty slow and bogs down your system. In comparison Microsoft Security Essentials doesn't. The argument has always been that MSE and similar light weight AV software won't give you 100% protection, but is the extra 0.1% worth the weight of a full "internet security" suite?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
In this day and age of targeted attacks what good is a reactive security model such as AV anyway ?
When the bad guys come after me and they know I have Kasperasky installed, Kasperasky wont do me any good, so why should I buy it ?
Please list the benefits vs. harm of creating Internet IDs? Is it worth giving up anonymity on the Internet - which has allowed the freedom of expression and ideas (almost) worldwide?
Other than preventing DDOS and stealth remote terminal logins, why allow non-government, 3rd parties to easily ID the source of a transmission? IMO, the harm far outweighs any benefits from enabling "Internet ID". i.e.: suppression of freedom of speech would enable new, powerful, and dangerous apps for stalking capability by any non-government 3rd party individual or organization, including: violent psychopaths, mafia, drug cartels, gangs in general to very easily single out targets that speak out of line in forums and other social media.
You missed the part where I said 'automated'.
Imagine a whitelist that checks with a central repository that reputable software manufacturers send their updates to. Even with updates, checking the software you regularly run is now a simpler problem then comparing everything you run to a list of all the malware in existence.
Why is the Management Server software as crap as it is?
You're doing what annoying people sometimes do at conferences: disguising an overly pompous and wordy opinion as a question. Don't do that.
Religion is what happens when nature strikes and groupthink goes wrong.
How exactly malware analysis jobs being done in Kaspersky? Using IDAPro,Ollydbg alike? Or dynamic analysis tools? Do you take PhD Interns to be attached with your labs?