Why Avast Won't Show Source Code To the Government, But Others Do

An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."

Ask?

[ememisya]

They didn't ask Avast for their source code?

RE Security Software

[rawtatoor]

Security Software is a misnomer in this case. You can not convince me that any software that is not open source (with open source hardware btw) is safe or secure in any way. That's not what the NSA says tho

Re:RE Security Software

[CastrTroy]

What good is open source hardware? How are you sure that your open source hardware hasn't been compromised between the factory and your house? Can you really be sure that the documents detailing the open source design of your hardware are actually being followed. Is there really anyway for people to verify what's going on inside the CPU?

Re:RE Security Software

[fizzer06]

How are you sure that your open source hardware hasn't been compromised between the factory and your house?

That Fed-Ex driver is a sneaky one with mad hacking skills!

Re:RE Security Software

[rawtatoor]

Its this. ITs Peanut butter. He's going to ask me if I understand etc. He's going to confuse the subject. He's going to pretend and insist to the end that he doesnt understand. I understand -- he's a charlatan. Thinking I'm going to try and make him understand that's his mistake. Don't watch me wind up or nothing but your going to get jerked pal

Re:RE Security Software

[JustAnotherOldGuy]

That Fed-Ex driver is a sneaky one with mad hacking skills!

Actually there are numerous documented instances where one three-letter agency or another has intercepted computer hardware en route, added tracking or monitoring hardware/software, and then resealed the box so it could be delivered. I don't have citations at hand, but I believe both the FBI and CIA have admitted to doing this. I think possibly the NSA as well but I don't recall for certain.

Re:RE Security Software

[rtb61]

It still means that open source software in many areas is likely to get a huge, spy vs spy, push, because no one trusts any one any more because a lot of the spying has devolved to extortion scams (to force political alignment against the wishes of the majority, also very corrupt government private business 'er' partnerships) and industrial espionage as well as off course very focused capital investment espionage (think insider trading upon a mass scale based upon stolen data, NSA/CIA insiders, literally billions to be made).

Hardware is trickier so don't trust your PC at all, consider it a compromised device, so wired connection and your modem, router, firewall, being much more locked down and restrictive when it comes to blocked external IP addresses, port controls and allowed communications. Smart Phone use should be limited to not to personal or financially risky communications. Want to share something private do it in person with your phone locked in the car, other than of course very public communications on forums, that also still works, possible ideas vs defined actions.

Re:RE Security Software

[AHuxley]

Re "... added tracking or monitoring hardware/software, and then resealed the box so it could be delivered"
"Photos of an NSA “upgrade” factory" (May 15, 2014)
http://arstechnica.com/tech-po...

Re:RE Security Software

[Actually,+I+do+RTFA]

You can not convince me that any software that is not open source (with open source hardware btw) is safe or secure in any way. That's not what the NSA says tho

Based on the Symantec quote, it seems more like the NSA wants to audit the anti-virus before it gets used on government systems. So, more likely, Avast isn't asked for their source because they're not getting greenlit to be installed.

Re: RE Security Software

[JustAnotherOldGuy]

"Numerous" is an inflation. There's one known instance, which is reason to believe there may be others, but no other examples are known publicly.

I tried to locate the page which detailed this but couldn't find it. I seem to recall it was an ex-DEA or NSA employee who was explaining it. He recounted that this was done very frequently, with his involvement in over "a couple of hundred" instances. Unfortunately I can't find the page, but it was quite clear that it was by no means limited to one or even a few instances.

He detailed how they worked closely with UPS, FedEx, DHL, and the USPS to divert packages, fiddle with the hardware, and then seal everything up and have it delivered. Apparently UPS and FedEx had a regular procedure for diverting the packages using a liaison whose job was to coordinate with the particular agency (again, I think it was the DEA or NSA but I can't recall for certain).

In any case, he made it clear that this was by no means a "one off" thing, but rather an ongoing operation that affected a number of packages from different companies.

Re:RE Security Software

[tippen]

Based on the Symantec quote, it seems more like the NSA wants to audit the anti-virus before it gets used on government systems. So, more likely, Avast isn't asked for their source because they're not getting greenlit to be installed.

Bingo. There are certain gov organizations that you can't sell into unless you let them audit your source. It's not just the US either. Also required for certain Russian certifications (for example).

Security through obscurity?

[Lead+Butthead]

Well, that one never did worked...

heh

so that's it for Symantec and Mcafee. Keeping Avast, kthxbye.

my theory

[kelemvor4]

The USG probably didn't think avast was a big enough player to bother with.

Re:my theory

[truck_soccer]

Considering Avast currently leads the AV marketshare with almost 25%.....

Re: my theory

Or they already had what they needed from Avast.

Re:my theory

[samson13]

My theory is that avast didn't ask to have their product evaluated so no government asked for their code to evaluate. To be able to sell security products to a lot of governments you need to be evaluated. Common criteria is an international group that standardizes and recognizes the evaluations across its members. Being CC evaluated puts you on the shopping list for a reasonably large government market.
For a list of products that have had at least one government(or their representatives) crawl through the code https://www.commoncriteriaport...

Re:my theory

[AHuxley]

Yes a lot of the AV brands do that. They give their code to different governments and then tell the world their products are good. Governments looked at the code and allowed them to bid.

We need community alternatives

[metrix007]

Truecrypt was a community project as is its successor. Not to mention Linux and the like. There is no question this model works at this point.

We need something similar for anti-virus/general security software for non technical-people.

Let corporations wast money on junk like McAfee and Symantec...millions for peace of mind and not much else.

Let the community have an option that we can rely on as being non-backdoored, and that non technical users who need this such as journalists can have a reliable option.

KGIII, please ignore this post. No irrelevant anecdotes thanks.

Re:We need community alternatives

[DarkOx]

The model works for Linux and True Crypt because the barrier to entry is low. Anyone can work on those projects with just about any PC from the last decade in their basement.

No you can't probably hack on a specific hardware driver much without buying some kit but most people doing that have said kit and are incentivized to make it work for them, then they just share. I know some of the kernel driver devs 'work for kit' too send me a shiny new iWhatever and I'll try and update the iWhatever N-1 driver to work with the new device, etc.

A/V on the other hand still relies first and foremost on signatures be they for files on disk or IPS like signatures for the integrated firewalls. Yes anyone can work on the heuristic and IOC monitoring side of things but you can't probably build an effective package that way. To create signatures you need a vast network of monitoring and information gathering points. You need to have honey pots stood up, etc. Its big coordinated effort to aggregate all the data too which won't be 'fun' for really anyone to work on.

Its really the same issue we see with open source games, GIS applications, and anything that is as content heavy as it is tech heavy. The open source model is very good and building the tooling basic infrastructure. Its pretty good at solving 'interesting' problems and other blue sky efforts. It falls down when it come to doing things that require running the infrastructure or grinding work creating content, like scanning 1000s of USGS maps or something.

So OSS could create the AV software, it could create the analysis tools to monitor malware execution on a vast array of virtual machines and compile the results into defs, but it will not host the vast array of virtual machines, because that costs real money, real big money, that has to come from some place.

Re:We need community alternatives

[AHuxley]

The other issue is how a government will log a users daily AV upgrade patterns. What brand, version, when they update.
A unique "equipment interference" project would then create gov malware just for that user. No signature would/will ever exist as it is one of one. Any outgoing software firewall would see it as been allowed/trusted by the user.
Heuristic analysis can help. More security on the average AV phone home, update functions was often lacking allowing governments to have a good understanding of a user, system just from provider network logs.

China is whaaat?

"China, a known cyber-adversary of the US"
Says who?
Says the same folks that fingered Iraq for 911?
And just what constitutes a "cyber-adversary"
Does that mean we are both in the playoffs?

Welcome to SlashFox!

Re:China is whaaat?

[Coren22]

Says the same folks that fingered Iraq for 911?

So, um, no one?

Iraq was about their claims to be building a nuke, while importing Yellow Cake Uranium, and refusing nuclear arms inspectors. It never had anything to do with 9/11 except that it happened shortly afterwards.

Re:China is whaaat?

[hyades1]

I always find it amusing when Americans like you don't even know your own recent history. Read and learn, you smug, cretinous dumbass:

http://antiwar.com/blog/2013/0...

Re:China is whaaat?

[pixelpusher220]

And if Iraq was about oil, why did not one US company get in on the rebuilding, transport, or refining of Iraqi oil?

because the jackasses that lied our way in planned the exit just as well as the entrance?

Thousands of active chemical weapons, millions of liters of dual-purpose chemicals, and hundreds of tons of uranium don't count as WMDs?

No they don't. They didn't have ANYTHING remotely close to what was promised they had. A few relic bombs is not a justification for invasion of another country.

Re:China is whaaat?

[DarkOx]

I say again it takes two to tango. If there was nothing to hide when it became very clear we were moving forward with an invasion force Saddam still could have said "wait time out, look at whatever you want wherever any time" The US military rather than the UN inspectors could have gone in a done the verifying. He did not do that even though he had to have know there was no possibly way his forces could repel a US invasion.

This leads me to conclude there are a few possibilities:
1) Saddam thought he had weapons he did not have
2) There were in fact weapons and interested parties succeeded in removing/hiding them before our occupying force made that impossible
3) There were weapons we found them, and are being lied to about that for 'reasons'

My guess is 2, because three requires a cover up that would be hard in the modern world. To many people would have seen to much and there are two many people with strong political interests, not all of them domestic that would want to see some of that information out there. If nothing else Suni groups like ISIS would want to use it as anti-secular and anit-Shia propaganda.

1 bothers me for similar reasons, folks like Chemical-Ali existed and it would have been hard for them to cover up the fact the cupboard was bare to Saddam and his Sons in the context of weapons inspections and so fourth. Impossible no but unlikely I think.

Which leaves 2 again. There were allegations weapons were being smuggled into Syria during the Iraq war. Suddenly when the Syrian conflict breaks out chemical weapons are used. We know the regime had such weapons. There is cause to suspect some of the attacks might have been staged by the rebels, who could easily have obtained them from the chaos that was Iraq. It all fits, or Assad might have been sitting on even larger stock piles of the stuff after the collapse of Iraq and simply said might as well use some.

Finally WMDs or no WMDs the Bush lied narrative isn't really accurate unless you an apologist for the DNC. Plenty of folks of the foreign Intel committees had access to pretty much all the information the Administration did. Intel isn't an exact science. A case was made based on the evidence, maybe the evidence was weak, circumstantial, and tainted but lots of Senate and Congress critters went along and voted en mass to authorize the war, but "Bush espoused his inaccurate view" does not sound as good in a stump speech. Personal while I am happy to admit in hind sight Iraq was stupid and we should have known better. What I find more astonishing is the current Presidents total failure to learn anything from that experience. This is the type of mistake our nation probably has to make once a generation. We should only be making it once a generation though. Meanwhile the military misadventures in the middle easy continue.

Re:China is whaaat?

[Coren22]

I know the history quite well, I was an adult working in the defense industry for the whole thing. There was never any claim that Saddam had anything to do with 9/11, that was why the invasion of Afghanistan happened, not Iraq. Iraq was about WMD and the very strong and right belief of WMD there. Saddam thought he could bluff having the nukes to keep the US and Iran from invading him, he prevented UN weapons inspectors from entering the country and inspecting the weapons sites. He bought Yellow Cake Uranium, presumably to build the bombs. He had previously gassed the Kurds, and it was widely believed that he was insane enough to attack Iran and incure the wrath of the world, where Kim in North Korea is too chicken to try it.

It was a widely held belief on both sides of the Isle that Iraq/Saddam posed a real danger of nuclear and chemical war, it wasn't just some rumor.

http://politics.slashdot.org/c...

Re:China is whaaat?

[Coren22]

My assumption is also 2, my guess is that his were the chemical weapons used in Syria, not the Syrian chemical weapons.

The US telegraphed our attack way in advance, I don't recall exactly how long it was, but my belief is it was months. There was plenty of time to move the weapons over the border into Syria.

For the Bush lied fanatics, I keep this link in a text file on my desktop, it lists tons of people in the DNC and Clinton's cabinet talking about the WMD:
http://politics.slashdot.org/c...

Personally, I don't blame Obama for the current shape of Iraq, I blame the Iraqi president. He forced the US to withdraw with terms he knew we would never accept, he made his bed, and now has to sleep in it. I haven't heard of Iraq asking us to come back yet, and I would expect that would be all over the news stations if he did, so I can only assume he is being stubborn or honestly believes that his troops can handle ISIS.

Re:China is whaaat?

[hyades1]

That is a plain, flat-out lie, and you know it.

Cheney and the rest of that odious crowd made it Job 1 to convince Americans there was a connection.

They succeeded.

Why they wont...

[viperidaenz]

Because they weren't asked. No need to make up other reasons Avast, just because you weren't picked.

The government obviously isn't trying to have a peek at all anti-virus/security software.

They probably only want to look at the code for the software they may want to actually use, since it runs at the highest privilege on all their workstations and inspects all the email on their mail server, etc.

Re:Why they wont...

[tlhIngan]

Because they weren't asked. No need to make up other reasons Avast, just because you weren't picked.

The government obviously isn't trying to have a peek at all anti-virus/security software.

They probably only want to look at the code for the software they may want to actually use, since it runs at the highest privilege on all their workstations and inspects all the email on their mail server, etc.

In other words, lemonade!

USG wants to purchase security software and roll it out across their various departments or so. They put in a call for bids to let anyone who has such software submit for testing and evaluation and maybe even purchase. (And believe me, government purchases are huge).

The problem is, Avast didn't make it past the first cut - presumably what happens is the bids are examined for how suitable the proposal is to meeting requirements, then after that cut (which will probably cut out the vast majority of submissions for being inappropriate, inadequate, and insufficient), they do far more technical evaluations. If you get 1000 entrants, it's harder to effectively test them all, than if you can eliminate 980 from the running, then you can test the 20 remaining ones more thoroughly.

Avast probably was one of those cut. Instead of the negative news that they were out of the running while their competitors was still in, they simply spun some PR around and make it seem like they took "the moral high ground", thus turning lemons (not being part of the bid) into lemonade (we won't release source code!). Presumably a source code audit might be one of the technical merits they'd be judged upon had they succeeded past the first round.

Reminds me of an old joke - the US and Russia decided to race each other in a classic car race. The US car won. The Russian newspapers had the following headline - "Russia comes in second. US comes in next to last."

Easy for them...

[acoustix]

"they refuse to share their source code, and that the U.S. government hasn't even asked them"

How wonderful of them! That's like me saying that I haven't killed anyone for $100,000 even though nobody every asked me.

It's easy to be moral when you haven't been challenged.

Re:China is dumb

[ahodgson]

They give the Chinese government something they claim is the Windows source code. Unless China is compiling it and distributing the output, there is no reason to believe it's what they're actually running.

Re:China is dumb

[fullmetal55]

And Symantec is competent in what reality? Have you used Backup Exec? or Antivirus? or their Anti-Spam or really anything of theirs?