Slashdot Mirror
Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com)
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:
Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Beyond the paranoia, shouldn't American strive to buy American if there is an available competing product? I'm not "flag waving", but it does seem like at least one way to contribute to the American economy in some way.
If you want news from today, you have to come back tomorrow.
he means 'President Trump'
Well, come on now, you really must answer, "Yes" if you are for open source and the ability of the user(s) to review the code. After all, isn't the U.S. Government right now saying that they don't trust the code? Or, they've got concerns, at least?
... no?
If the government wants to see the source code of a product, they can choose an open source one like the rest of us.
No moderation option "-1 Moron", so posting it instead.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Why should anyone trust closed source security software in the first place?
Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.
Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
You might as well email all your files directly to Vladimir Putin.
I e-mailed all my gay clown porn to vlad247@aol.com. He wrote me back a nice thank you letter. I now run Kaspersky on all my devices without fear!
The real value of anti-virus software is not the source code, it's the data--the signatures it looks for to spot malware. I'm fine with them keeping their database proprietary. But why not make the source code freely available...unless they have something to hide!
Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?
a) Don't trust Symantec, they've got stuff to hide in their source code whether it's NSA-stuff or sloppy code.
b) You can probably trust Kaspersky for most things except NSA-stuff.
I've personally never trusted Symantec and I always thought Kaspersky was good enough for the home, I never considered them to be a serious contender in the enterprise-market. I have serious reservations about most US-based closed source (security) software and closed system hardware manufacturers. The NSA persuaded a relatively small (10k employees) employer of mine to install taps with full cooperation of Cisco and IBM, so any of these larger companies must have ties if not outright taps in the software.
What we really need is for these companies to open-source their stuff.
Custom electronics and digital signage for your business: www.evcircuits.com
In general, no. No way should any government be able to just demand access to the code that makes your product unique from your competitors.
However, if you are up for a government contract to supply said product for government use -then allowing code review sounds reasonable.
Will it ever end?
Yeah, well a real moderator showed up and modded him +1 Insightful, so fuck you.
I wish all this idiot democrats would drown in a sea of their own bullshit
Agreed.. Trump has been the bets thing to happen to the USA in 8 years. Watching these Democrats try to create Russia hysteria is better than watching house of cards. It's also outed a lot of these fake journalists.
What about Veeam?
What about Acronis?
there aren't "real" moderators here. they're just random selections from the logged-in user base.
not really much different than grabbing joe schmoo off the street. the odds are fair that the person you grab is going to be a idiotic trump supporter, too.
Quick joke: Donald J. Trump
It's kinda F'ed up to take glee in the demise of a nation for the giggles.
Any US citizen who isn't worried about what Russia pulled off in the last election either has their head up their own ass or has their head up Trump's ignorant and xenophobic ass.
Forget Democrat or Republican, the Russia debacle is about the sovereignty of the nation.
The fact Trump won't even acknowledge Russia's actions should make EVERYONE suspicious of him, but there clearly hasn't been any real evidence of his involvement. Frankly, I'm not sure the Russians would have wanted him involved seeing as he can't seem to keep is freaking mouth shut for more than a day.
Trump won't be in office in three years, much less for 8.
That grifter is neither physically not mentally fit enough to survive the self induced outbursts of rage he subjects himself to.
Now, the US will still be suffering from his nonAdministration eight years from now, but that's a different point.
Back on topic, showing the source is BS, because you can keep two sets of code just like you keep two sets of books. Use a weaker algorithm like sha1 and you can even force the collision to verify the output matches.
Wanna Cry proved why Apple was smart not to create a tool for the federal government that could be used to break encryption on iOS based devices. If such a tool exists it will inevitably be leaked. Kaspersky should tell the federal government where they can stick it if they ask for the source code and they most certainly shouldnâ(TM)t offer it up.
The government is free to write its own anti-virus software.
Seven puppies were harmed during the making of this post.
...what Russia pulled off in the last election...
So, what exactly did they "pull off", how did they do it, and what evidence do you have?
Provide specific intelligence from impartial sources (not biased media such as the NY Times or the WaPo) to back up your claims. I strongly suspect you can't answer.
How many US companies would want to show their source code to the Russian government? The Russia government has a far more trustworthy record in this area. Most malware now is based on code from the NSA. I think Kaspersky should not trust the US government and by doing so they become less trustworthy. If they rolled over on this how can we trust them not to allow changes to their code?
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Trump thinks his daughter is a hot piece of ass.
Just stop it. The whole "muh Russia" BS is exactly that, BS. Even the DNC propaganda channel admitted it.
I am not an AC hiding behind anonymity like the scum you are. And who says moderators cannot be morons as well? Incidentally, he is now at "0, Insightful" meaning he got modded down again, because a smart moderator undid the mistake the other one made.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nice, we're starting to see them here too. It's not just reddit getting the vatnik trolls anymore!
Its like mkultra lite. Someone posts something to do with russia and those comfortable little neural pathways fire all the way to their pre-programmed destination. And we end up with a thread about Trump.
Are you Putinâ(TM)s bitch like Trump?
They are (to the extent it is applicable to anything that's Russian) a private company, at least on the US market, and they can hide or disclose whatever parts of the code they want, unless there's a subpoena or a search warrant. But by the same token, of course no agency in their right mind, much less a government agency, can possibly contemplate using anything developed by a KGB man.
I can assure you, the best way to get rid of dragons is to have one of your own.
"Russian anti-virus CEO offers up code for US govt scrutiny"
http://hosted.ap.org/dynamic/s...
"... ready to have his company's source code examined by U.S. government officials"
Domestic spying is now "Benign Information Gathering"
It's an old security concept that people seem to forget.
Design your system so that as long as your credentials are not compromised (passwords/certs/authentication keys), attackers should be able to get everything else about your system and still be kept out.
Now, this is NOT saying that secrecy has no value. I readily admit that I'm not perfect, so I keep details of my systems secret as a second layer of protection (make the attacker work harder, which gives me more of a chance to detect that they are there)
But when you are looking to implement security software produced by someone else, being able to inspect it is good, because you cannot have confidence that your attackers haven't had a chance to inspect it, so you want to be on equal footing.
This is one of the reasons why Open Source is so important for such sysems
Catches a lot, low footprint, Czechoslovakia is just awesome.
TFA: "A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.""
The same could be said by any foreign government or individual about Microsoft or Apple operating systems.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
I'm waiting for Mueller's report to pass judgement. Opposition senators' "there's smoke" (but no evidence) comments and "a little bird told me" fake news hold no value.
I e-mailed all my gay clown porn to vlad247@aol.com. He wrote me back a nice thank you letter. I now run Kaspersky on all my devices without fear!
Links or STFU.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Invest in software and hackers, corrupt politicans and useful idiots, smear propaganda on TV
and you don't need to conquer more economicaly and advanced countries
you own them
you can "elect" anybody, sabotage anything
Their most prominent software companies give you all their codes , plus espionage..
something like "the capitalists sell to us rope that we use to hang them "
So Obama was fooled by thinking Russia is weak and was defeated with shame as dumb looser
Maybe you should spend some time reading. If you don't like the NYT or WaPo, there are plenty of other credible places to get your news. Hell, if your in the US, you could even watch the House and Senate intellegence committee hearings and hear it straight from the US intelligence officials.
The only people who don't seem to want to admit what Russia did are Trump's administration and the 30 some % of Americans still blindly following him.
Don't be so ignorant, it's a disservice to yourself and everyone around you.
With regard to whether there was any actual collaboration between Trump's team and Russia, your absolutely right. I am fairly skeptical that Trump was actually involved, because, frankly I don't see why Russia would WANT to involve him.
Too many people on the left are screaming 'COLLUSION' and too many people on the right have their fingers in their ears, dancing around yelling 'LALALA... I CAN'T HEAR YOU... LALALA'
The CIA saves explosives and Kaspersky's software is rendered useless.
...because Trust The Government https://www.youtube.com/watch?v=wofs8ZpcXlM
Seriously, let them decide "fuck the USA, we still have the rest of the world". Downside? Sales in the US fall. Upside? As the great lady sings "Are EE Ess Pee Ee See Tee".
Give em the source. Downside? NSA says "damn, never thought of that.". Or "damn, they just found $NSA_Hack_Tool". Upside? Nothing I can think of, outside of sales in the US.
typical trump supporter, can't even spell a four letter word
BEST motherfucker not BETS
I don't think the us public should blame Russian companies for what Putin does, without evidence.
Does kapersky send data back to kapersky hq? Are there 0 day malware/virus signatures missing from the database?
that said, the us gov shouldn't trust domestic code any more then foreign. Sleeper cells could be asleep anywhere.
Looking at all gweihir's posts would reveal a lot more about him or her than would a single a/c's post. All we can tell from your post is that you're not too good at thinking.
He's right!
"sure, here's mode code right here. I promise it's the real thing"
Regardless of the other arguments, who really thinks he will provide the real code?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Isn't the American government a wholly owned subsidiary of the Russian government at this point?
No, I want Trump shot into the sun, but at worst, Russia used journalism against America, which is GOOD for the people, albeit bad for the government.
This is my signature. There are many like it, but this one is mine.
It's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President
The funny part is that you can take this sentence, replace Russia by US, and state-owned by privately-owned, and it is still true.
Because Putin's anti-virus would be the one most likely to not have NSA backdoors, which is what an American citizen should be concerned about.
This is my signature. There are many like it, but this one is mine.
don't cry now. your mummy can't help you.
you sir have drunk the Koolaid... first of all, the USA has interfered with more elections than Putin has had breakfasts. To think that modern governments do not use their intelligence services for subversion is to be completely ignorant and childish.
But.. to think that these subversions can sway mutlitudes the size of the USA more so than CNN/FOX/MSNBC etc is supremely stupid.
Hillary lost because she was a bad candidate.
Trump won because the USA is sick of lying politicians and news anchors.
Get used to this... because idiots like yourself are going to be marginalised.
Don't be too harsh, he's more likely a Russian with English as a second or third language.
DIFFERENT argument. entirely.
This is being compelled to show source code.
You're talking about which one is more trustworthy. Completely different discussion.
Who believes the US government doesn't have a full copy of the source already?
If only a government has access to the source then the government could find flaws in it easier to exploit it and keep it secret from the other governments and everyone else. Either make the source available to everyone or leave it secret to everyone outside the company.
For once, the answer to the headline is "yes."
Yes, Kaspersky should show its source code to the US Government. They should show their source code to all of their users. All software should come with its source code. If you weren't convinced of that before, you should have been by the audit of Toyota's source code.
http://www.safetyresearch.net/...
Yeah Trump was a habitual liar even before he got elected so... now that he's a politician it's official
it's the kind of positive make-work project that does good things for the local economy. The guys I know in the defense industry make 2-3x the going rate for the equivalent work (unless they're high-end math guys, Wallstreet gobbles those guys up for HFT).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It's important that the US government, the primary creator of forced backdoors and exploits, can make sure code doesn't have... oh.
Now, if you'll excuse me, I've got to go and patch everything in my home due the the huge cache of zero day exploits the NSA were hoarding, rather than reporting, until they got leaked.
Who to trust? American Software? Ask the NSA, they will recommend it.
If the russians want to spy, they at least want to spy on the government not on the people.
Yes I would agree, she is hot!
Moron? Traitor? You be the judge...
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:
From real life to gaming VR I've never heard of anyone being able to dispel suspicious.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
"Kaspersky Lab cannot be trusted to protect critical infrastructure"
Whereas the US government is totally trustworthy. /sarc
Enjoy life! This is not a dress rehearsal.
why ask? are they not already sharing everything? I really really don't buy all the we are innocent BS from every american company... Apple is a good example... I bet the whole thing with the phone unlocking was a big publicity stunt for both Apple, NSA and the company that "opened" the phone... Geez... give us a break... the rest of the world is not that stupid!
All the butt hurt Hillary supporters need to explain how killing the TPP makes Trump the devil... coz I sure can't see it that way
Some speculate that Kaspersky, [...] kept his Soviet-era intelligence connections.
No shit. Of course he did, you have to be a total idiot not to have connections to the intelligence sphere of the country you are operating in if you own a company in the security industry.
The question should not be if he has connections. That's a given. You think McAfee has no such connections? The question is if they affect the product he is selling in a technically meaningful way. That he keeps such connections for the purpose of sales is clear.
But hey, digging deeper than a sensationalist quote has fallen out of fashion, hasn't it?
Assorted stuff I do sometimes: Lemuria.org
Russia is a kleptocracy, and it's absurd to think they could not put the screw on Kaspersky. While they are based in or have assets in Russia, I certainly wouldn't use them. End of story.
If Kaspersky resisted, it'd be bullets and polonium tea all around. Simple as that.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
It is obvious to anyone who isn't an idiot that the Democrats in American Government have listened far too much to people like Dmitri Alperovitch.
I, for one, wouldn't let the likes of "Crowdstrike" anywhere near my network for any reason whatsoever.
For suing microsoft over av.
I suppose traitor would be the closer answer. I'm opposed to my government because I give a shit about my country. I think we should release anything bad on Putin, Russian hackers should release anything bad on us, and rinse and repeat for every other country in the world. Then, we get plenty of sunshine, and the cockroaches scatter.
This is my signature. There are many like it, but this one is mine.
Yeah, but he's a different kind of liar, which was slightly less disgusting to a portion of the population. Particularly, he told the truth on some issues, such as TPP. Had the Dems nominated Sanders, a lot of that appeal would have been gone.
This is my signature. There are many like it, but this one is mine.
I use Kaspersky as my primary AV. I went through the same thought process (although without the enormous resources of the US gov't) and found no reason to believe that on balance their products are inferior to the equivalent (major) US products. Kaspersky has to operate in Russia, so some collaboration with Russian military, intelligence, and politicos is a necessity. The questions can be divided into several categories. First rule: follow the money. What are their Russian sales as a % of their total? (I am aware (why wasn't this brought up, IDK, it seems relevant) that Kaspersky and Putin have been "seen together" on numerous occassions, they're not strangers). The second question is: is there a meaningful difference between the carrots and sticks that the Russkies can put onto the company, the executives/decision/policy makers of Kaspersky compared to those office holders in other AV companies? I'd guess marginally, there is. So the follow up question is what sort of structure, formal structure, has Kaspersky instituted to prevent direct Russian government intervention? (eg., 3rd party review and subsidiary (US) independence). The other category of questions are in the WTF? category: WTF is the US govt DOING using commercial products when it OBVIOUSLY should be able to provide it own for its own?? There's something seriously wrong with a government that spends as much on Defense as the US does, but is unable (or unwilling) to provide for the common defense. Makes me wonder which commercial products they use to encrypt their communications.
What's wrong with this picture? I chose Kaspersky because it is better than the alternatives. I can envision that certain users would come to a different conclusion, but its hard for me to credit the US Govt as being competent enough to reach any valid conclusion. I suspect its just more political as usual.
Pressuring Australia and UK not to buy their products.
So now software as well? Not the first time an Israeli company had to show and tell as well.
Remember when Norton released bloatware, and McAfee false positives - they gave it all to Kaspersky who are the only company to break ransomware with a public commentary.
USA companies should buy the best, as objectivity independently rated. In any case soon AV companies will have to expand their base offerings to prevent ransomware - rather than sell it as an extra.
he will tweet a 3am patch for the backdoors
Oh, then that's what Covfefe was !
That's why "The president and a small group of people know exactly what he meant [by covfefe]" !
It was a super secret code word to fix a vulnerability in Microsoft Windows before the Petya ransomware spreads ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Different gay bro here but I got a thank you letter from President Putin for sending him my Hot 100 Topless Men in the Forest compilation video.
the only av software that detected the rootkit was .....ya and you want them to expose themselves to the nsa
Indeed. But Trump followers often resemble Trump, so that is not much of a surprise.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I'm not sure what looking at the source gains.
Just like keeping two sets of books. They could easily have clean source freely available to anyone to look at and a slightly modified version that they actually use. You could not tell the difference unless you compile the source yourself. Is Kaspersky offering to allow them to compile it themselves and distribute to Americans that way?
because, as we've learned time and again, they are susceptible to government interference. Accusations from the U.S. gov are completely baseless and without merit, in particular since we've learned how they use CIA and NSA for sabotage themselves, against countries they call allies.
The Russian apparatchiks in the White House?
Or the freedom fighters in Deep State?
-- Tigger warning: This post may contain tiggers! --
What would be the point? they can upload security updates at any time to upload nefarious programs/functions. I get almost 6 Mb a day security updates from Norton how do i know they are not acting hand in hand what their government ? Or they are acting with someone else?
Jack of all trades,master of none
Kaspersky Lab should show it's source code to *everyone*, not just the U.S. government. It's absurd to even contemplate relying on a security product for which the source code is not publicly available. This case should highlight how incredibly absurd it is that proprietary software still exists in our society.
Sure, I will show you my code, minus any back doors or special features. You'll never know...two sets of code one for me and one for you.
same could be said about you
NSA Backdoor or Russian Backdoor it's a choice between Scylla and Charybdis https://en.wikipedia.org/wiki/...
Typical libtard, complaining about a spelling mistake but can't even use proper capitalization or punctuation themselves.
they cannot be saved
so weird, the TPP was the most biased pro us trade treaty my stupid country has ever signed, the tpp was pretty much the entire pacific rim bending over and spreading cheek for the us for some minor trade concessions
But even in your metaphor, proximity matters. If I have two shields, one strong against the Scylla and weak against the Charybdis, one strong against the Charybdis and weak against the Scylla, and I'm sailing pasting the Scylla, I would be a fool to not choose the shield strong against the Scylla, even though it is weak against the Charybdis, because the Charybdis is too far away to be a real concern.
Ultimately, I'd advise against using Windows altogether, but that's an entirely different conversation.
This is my signature. There are many like it, but this one is mine.
Don't look at the NSA, look at the Russians!
Requiem for the American Dream
It was good for US corporations, but bad for US workers.
This is my signature. There are many like it, but this one is mine.