Slashdot Mirror
Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com)
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:
Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
No moderation option "-1 Moron", so posting it instead.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Security software helps find nation state efforts
Longhorn: Tools used by cyberespionage group linked to Vault 7
https://www.symantec.com/conne...
Equation Group https://en.wikipedia.org/wiki/...
Stuxnet https://en.wikipedia.org/wiki/...
Operation Socialist https://en.wikipedia.org/wiki/...
Domestic spying is now "Benign Information Gathering"
It isn't just AV outfits. I don't know how much arm-twisting this originally may have involved; but Microsoft will let suitably qualified government customers look at the code. Given that the people who don't respect your copyrights have access to pirated versions anyway; and you don't really want "Security" to be an automatic winning argument against using your product, I imagine that it's not too hard a case to make.
What I wonder more about is how much this access actually helps those who have it. Antivirus products in particular, and reasonably complex software in general, receive vendor updates that can, and sometimes do, substantially alter their behavior quite frequently(and often in response to serious security holes, so you can't just adopt a blanket policy of sitting on all updates for 18 months); so if you want to stick to the carefully hand-reviewed stuff, you'll be so far out of date that random botnets and commercially motivated attackers will be nibbling on you; but if you want timely signature updates and security patches you essentially end up trusting the vendor to not slip something nasty into some urgent auto-update.