Slashdot Mirror
Interviews: Ask What You Will of Eugene Kaspersky
Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.
I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?
My work here is dung.
Sorry could not resist :)
Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won’t allow an intruder to gain control over it or to run malicious code.
Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.
My work here is dung.
The link in the summary is invalid. Here is the correct one:
http://eugene.kaspersky.com/2012/07/25/what-wired-is-not-telling-you-a-response-to-noah-shachtmans-article-in-wired-magazine/
Learning HOW to think is more important than learning WHAT to think.
You plan on making a secure OS for for industrial/infrastructure systems do you plan on basing it on preexisting open kernals, BSD, Linux, Haiku, Mach. Will it be a Unix/Posix like? will it be a monolithic or micro kernal? or are you think of more of hypervisor that host and monitor the guest os for the scada systems?
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc).
But what interests me is what we should be teaching our young people (students, in primary and secondary school) with respect to the expertise we wished that all adults possessed.
In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc)?
--Dave
Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organising resistance and circumventing censorship or oppression. In light of that. have you modified your views on the "Internet ID"?
What's the easiest way to wipe all the Kaspersky bloat/trial/crapware from new Windows machines?
According to Wikipedia, Natalia Kaspersky, former CEO and co-majority shareholder of Kaspersky Lab released a statement supporting Russia's interest in a countrywide firewall similar to the Great Firewall of China. The definition of 'malware' I most prefer is "Software that is intended to damage or disable computers and computer systems." I see implementations like countrywide firewalls to be little more than disabling computers and computer systems by limiting their ability to connect to other computers. Would you care to comment on why government malware is okay or even desired? Would you care to refute Natalia's position that appears in Kaspersky Lab's Wikipedia article?
My work here is dung.
Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.
This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.
Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.
In a small Latin American country like Belize. You've gone on the run, the police are hunting you and your options for escape are coming up short. You've started a blog to discuss your situation, but no external entities have helped. What's your next step?
-- John
Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.
your favorite brand of vodka?
Everything is better with chainsaws.
Received it today:
...
...
Description: VAIO S Series 15 Custom LaptopComponent: 750GB (7200rpm) hard drive
Component: 3rd gen Intel® Core i7-3632QM quad-core processor (2.20GHz / 3.20GHz with Turbo Boost)
Component: NVIDIA® GeForce® GT 640M LE (2GB) hybrid graphics with Intel® Wireless Display technology
Component: Windows 8 64-bit
Component: Internal lithium polymer battery (4400mAh)
Component: Kaspersky® Internet Security (30-day trial)
Component: Black
Does Kaspersky have a relationship with the Putin administration or the FSB?
Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus?
Should a security minded person be concerned with the geographic origin of security software?
One of the threats I expect to see more of is in the vein of Ken Thompson's hack, where a compiler (or any other build tool) hosts a trojan and infects other programs it compiles (or links, assembles, etc.) practically undetectably. With open-source software taking an ever-more-vital role in the Internet's core systems, will this kind of attack be easier to detect (perhaps due to the widespread availability of still-clean compilers), or more difficult (perhaps due to the wide network of trusted developers)?
You do not have a moral or legal right to do absolutely anything you want.
Mr. Kaspersky are you safe?
Your operating out of the same country that has a ton of botnet operators and raking in some decent dought with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.
There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?
Wearing pants should always be optional.
You seem to support the "Internet X" meme where X is whatever we have in the physical world. ID, passport, voting, interpol, perhaps others. Why?
I mean we are all techies here, OK, so we don't have to act all "marketing" with each other about our new "selling dog food over the internet" patent and so forth.
I've got a perfectly good ID in the physical world that I share with amazon.com called my postal addrs and my CC number, and we're both perfectly happy with that situation. I've got a perfectly good paper and ink passport for crossing international borders, an internet one seems pointless. I/we have an Interpol who already handle crime about as well as any multinational police force could ever hope to, so I'm unclear what one on the internet would do that the real one isn't already fully responsible for. I have a perfectly good voting site 2 blocks from my house where I can vote in person using optical scanned ballots in perfect safety for like 12 hours on voting day, with no intimidation, and very limited to non-existent corruption because there's both a paper and ink ballot and an instant optical scan, what needs fixing about that or moving to the internet?
You've listed some things that have evolved over time to, basically, work pretty well. What is the point of lets replicate that "... on the internet"? Wouldn't we be all better off if we just improved the real Interpol, instead of making a second shadowy clone? Or improved voting, not just "add internet voting". Or improved ID, not "add another form of ID to be stolen"?
Or looking at it another way, why not "Internet X" where X is stuff that doesn't work. Health care. Taxes. Politics. Debating.
I don't see this as a strictly financial self interest question, for example you can probably make as much dough, or more, selling to the real Interpol as selling instead to a shadowy secondary clone. What do you care what the name on the invoice is?
From a techie perspective I/we see this as weird. Say my video card is getting slow/flakey. I could fix the one I have by blowing the dust off the fan, but, naah I'll get a shadowy secondary video card that is a mystery and not nearly as debugged, and try to get them to work in parallel... No that's just now how techies work. We know better.
So why "Internet X"? Not just "improve X"?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Given the the long established history with reference monitors and Class A1 design, will your from-scratch OS follow TCSEC (Orangebook) guidance so as to provide verifiable assurance that no trap doors or Trojan horses exist in the code? If not, what is your approach, instead?
Mr. Kaspersky,
Who is winning the Cyberwar?
Any comment on these allegations?
I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you offer a version of your products that identified and disabled this spyware?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g. run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
What's wrong with AHA?
It'll be gone
In a day or two!
Everything is better with chainsaws.
[Introduction] (My apologies for the long introduction to the question, but Slashdot only allows one!)
Mr. Kaspersky,
In the 1970's, following an Arab enforced oil embargo on Israel, the United States found itself a midst an energy crisis. President Jimmy Carter educated America on the Energy Crisis, warning that the issue could escalate into a national crisis, and equating the energy crisis "the Moral Equivalent of War." President Carter outlined 10 policies which touched on reducing demand through conservation, pushing for "predictable and certain" governmental policies, creation of a Strategic Petroleum Reserve, and development of new sources of energy.
Fast forward to the 2010's, and America is in a similar economic condition. Unemployment is rising, economic rebound is uncertain, and inflation all but inevitable. I see the US government pointing fingers of blame at "China" (as if all Chinese hackers represent their state) targeting security vulnerabilities of private and public US companies' databases, which often hold valuable, private information on US citizens. I assume the US government either funding or assisting in the development of malware as a Tool for International Policy. The economic incentive towards hacking continually increases, yet no few steps are made to prevent it.
[Question] Imagine you are President (any country in general, not necessarily the United States) - what policies would you put forward to curb this Security Crisis we are entangled in . I've read some snippets about the 'internet interpol' and 'internet ID,' but I'd like to offer you the opportunity to put forward a short, detailed plan (perhaps 5 or 6 bullet points) towards combating this Security Crisis. If you want to change any past statements, or add a little more substance to them, feel free.
[Post Statement] I hope your own opinions have more sustenance than immature, ultra-libertarian view that government's role is to shrink into nonexistence, ridding the world of its evil. I understand the government is both extremely powerful, yet also inefficient in some cases. I like government, but only when the correct checks and balances are in place.
No trees were killed to send this message, but a great number of electrons were terribly inconvenienced.
Hello,
If there was one piece of behavior you could change in home Internet users, what would it be?
Regards,
Aryeh Goretsky
Dexter is a good dog.