Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Avast Won't Show Source Code To the Government, But Others Do (zdnet.com)

Posted by Soulskill on from the all-about-the-benjamins dept.

An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."

6 of 79 comments (clear)

  1. Re:my theory by truck_soccer · · Score: 2

    Considering Avast currently leads the AV marketshare with almost 25%.....

  2. Re:We need community alternatives by DarkOx · · Score: 2

    The model works for Linux and True Crypt because the barrier to entry is low. Anyone can work on those projects with just about any PC from the last decade in their basement.

    No you can't probably hack on a specific hardware driver much without buying some kit but most people doing that have said kit and are incentivized to make it work for them, then they just share. I know some of the kernel driver devs 'work for kit' too send me a shiny new iWhatever and I'll try and update the iWhatever N-1 driver to work with the new device, etc.

    A/V on the other hand still relies first and foremost on signatures be they for files on disk or IPS like signatures for the integrated firewalls. Yes anyone can work on the heuristic and IOC monitoring side of things but you can't probably build an effective package that way. To create signatures you need a vast network of monitoring and information gathering points. You need to have honey pots stood up, etc. Its big coordinated effort to aggregate all the data too which won't be 'fun' for really anyone to work on.

    Its really the same issue we see with open source games, GIS applications, and anything that is as content heavy as it is tech heavy. The open source model is very good and building the tooling basic infrastructure. Its pretty good at solving 'interesting' problems and other blue sky efforts. It falls down when it come to doing things that require running the infrastructure or grinding work creating content, like scanning 1000s of USGS maps or something.

    So OSS could create the AV software, it could create the analysis tools to monitor malware execution on a vast array of virtual machines and compile the results into defs, but it will not host the vast array of virtual machines, because that costs real money, real big money, that has to come from some place.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  3. Re:RE Security Software by fizzer06 · · Score: 2

    How are you sure that your open source hardware hasn't been compromised between the factory and your house?

    That Fed-Ex driver is a sneaky one with mad hacking skills!

  4. Re:my theory by samson13 · · Score: 2

    My theory is that avast didn't ask to have their product evaluated so no government asked for their code to evaluate. To be able to sell security products to a lot of governments you need to be evaluated. Common criteria is an international group that standardizes and recognizes the evaluations across its members. Being CC evaluated puts you on the shopping list for a reasonably large government market.
    For a list of products that have had at least one government(or their representatives) crawl through the code https://www.commoncriteriaport...

  5. Re:RE Security Software by AHuxley · · Score: 2

    Re "... added tracking or monitoring hardware/software, and then resealed the box so it could be delivered"
    "Photos of an NSA “upgrade” factory" (May 15, 2014)
    http://arstechnica.com/tech-po...

    --
    Domestic spying is now "Benign Information Gathering"
  6. Re:China is whaaat? by hyades1 · · Score: 2

    I always find it amusing when Americans like you don't even know your own recent history. Read and learn, you smug, cretinous dumbass:

    http://antiwar.com/blog/2013/0...

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.