Slashdot Mirror
Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com)
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:
Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Beyond the paranoia, shouldn't American strive to buy American if there is an available competing product? I'm not "flag waving", but it does seem like at least one way to contribute to the American economy in some way.
If you want news from today, you have to come back tomorrow.
he means 'President Trump'
Well, come on now, you really must answer, "Yes" if you are for open source and the ability of the user(s) to review the code. After all, isn't the U.S. Government right now saying that they don't trust the code? Or, they've got concerns, at least?
I love how he pisses off the libtards. 8 years of Trump will be great.
... no?
If the government wants to see the source code of a product, they can choose an open source one like the rest of us.
Maybe the USAian government (& its agencies) should openly show the world THEIR code....
With all the Intel chip secret OS and CIA / NSA hacktool stories, the FSB and Chinese start looking like the good guys.
You would have to be incredibly stupid to install Kaspersky onto any computer you own.
You might as well email all your files directly to Vladimir Putin.
You are not Donald Trump - you aren't going to get paid to commit treason by Vladimir Putin. You will be committing treason for free, like a Trump voter.
Why should anyone trust closed source security software in the first place?
Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.
Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
The real value of anti-virus software is not the source code, it's the data--the signatures it looks for to spot malware. I'm fine with them keeping their database proprietary. But why not make the source code freely available...unless they have something to hide!
Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?
a) Don't trust Symantec, they've got stuff to hide in their source code whether it's NSA-stuff or sloppy code.
b) You can probably trust Kaspersky for most things except NSA-stuff.
I've personally never trusted Symantec and I always thought Kaspersky was good enough for the home, I never considered them to be a serious contender in the enterprise-market. I have serious reservations about most US-based closed source (security) software and closed system hardware manufacturers. The NSA persuaded a relatively small (10k employees) employer of mine to install taps with full cooperation of Cisco and IBM, so any of these larger companies must have ties if not outright taps in the software.
What we really need is for these companies to open-source their stuff.
Custom electronics and digital signage for your business: www.evcircuits.com
In general, no. No way should any government be able to just demand access to the code that makes your product unique from your competitors.
However, if you are up for a government contract to supply said product for government use -then allowing code review sounds reasonable.
Will it ever end?
I wish all this idiot democrats would drown in a sea of their own bullshit
What about Veeam?
What about Acronis?
Quick joke: Donald J. Trump
Wanna Cry proved why Apple was smart not to create a tool for the federal government that could be used to break encryption on iOS based devices. If such a tool exists it will inevitably be leaked. Kaspersky should tell the federal government where they can stick it if they ask for the source code and they most certainly shouldnâ(TM)t offer it up.
The government is free to write its own anti-virus software.
Seven puppies were harmed during the making of this post.
How many US companies would want to show their source code to the Russian government? The Russia government has a far more trustworthy record in this area. Most malware now is based on code from the NSA. I think Kaspersky should not trust the US government and by doing so they become less trustworthy. If they rolled over on this how can we trust them not to allow changes to their code?
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Its like mkultra lite. Someone posts something to do with russia and those comfortable little neural pathways fire all the way to their pre-programmed destination. And we end up with a thread about Trump.
They are (to the extent it is applicable to anything that's Russian) a private company, at least on the US market, and they can hide or disclose whatever parts of the code they want, unless there's a subpoena or a search warrant. But by the same token, of course no agency in their right mind, much less a government agency, can possibly contemplate using anything developed by a KGB man.
I can assure you, the best way to get rid of dragons is to have one of your own.
"Russian anti-virus CEO offers up code for US govt scrutiny"
http://hosted.ap.org/dynamic/s...
"... ready to have his company's source code examined by U.S. government officials"
Domestic spying is now "Benign Information Gathering"
It's an old security concept that people seem to forget.
Design your system so that as long as your credentials are not compromised (passwords/certs/authentication keys), attackers should be able to get everything else about your system and still be kept out.
Now, this is NOT saying that secrecy has no value. I readily admit that I'm not perfect, so I keep details of my systems secret as a second layer of protection (make the attacker work harder, which gives me more of a chance to detect that they are there)
But when you are looking to implement security software produced by someone else, being able to inspect it is good, because you cannot have confidence that your attackers haven't had a chance to inspect it, so you want to be on equal footing.
This is one of the reasons why Open Source is so important for such sysems
Catches a lot, low footprint, Czechoslovakia is just awesome.
TFA: "A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.""
The same could be said by any foreign government or individual about Microsoft or Apple operating systems.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Invest in software and hackers, corrupt politicans and useful idiots, smear propaganda on TV
and you don't need to conquer more economicaly and advanced countries
you own them
you can "elect" anybody, sabotage anything
Their most prominent software companies give you all their codes , plus espionage..
something like "the capitalists sell to us rope that we use to hang them "
So Obama was fooled by thinking Russia is weak and was defeated with shame as dumb looser
The CIA saves explosives and Kaspersky's software is rendered useless.
...because Trust The Government https://www.youtube.com/watch?v=wofs8ZpcXlM
Seriously, let them decide "fuck the USA, we still have the rest of the world". Downside? Sales in the US fall. Upside? As the great lady sings "Are EE Ess Pee Ee See Tee".
Give em the source. Downside? NSA says "damn, never thought of that.". Or "damn, they just found $NSA_Hack_Tool". Upside? Nothing I can think of, outside of sales in the US.
I don't think the us public should blame Russian companies for what Putin does, without evidence.
Does kapersky send data back to kapersky hq? Are there 0 day malware/virus signatures missing from the database?
that said, the us gov shouldn't trust domestic code any more then foreign. Sleeper cells could be asleep anywhere.
"sure, here's mode code right here. I promise it's the real thing"
Regardless of the other arguments, who really thinks he will provide the real code?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Market. Theref0Re,
Isn't the American government a wholly owned subsidiary of the Russian government at this point?
It's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President
The funny part is that you can take this sentence, replace Russia by US, and state-owned by privately-owned, and it is still true.
DIFFERENT argument. entirely.
This is being compelled to show source code.
You're talking about which one is more trustworthy. Completely different discussion.
Who believes the US government doesn't have a full copy of the source already?
If only a government has access to the source then the government could find flaws in it easier to exploit it and keep it secret from the other governments and everyone else. Either make the source available to everyone or leave it secret to everyone outside the company.
For once, the answer to the headline is "yes."
Yes, Kaspersky should show its source code to the US Government. They should show their source code to all of their users. All software should come with its source code. If you weren't convinced of that before, you should have been by the audit of Toyota's source code.
http://www.safetyresearch.net/...
it's the kind of positive make-work project that does good things for the local economy. The guys I know in the defense industry make 2-3x the going rate for the equivalent work (unless they're high-end math guys, Wallstreet gobbles those guys up for HFT).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It's important that the US government, the primary creator of forced backdoors and exploits, can make sure code doesn't have... oh.
Now, if you'll excuse me, I've got to go and patch everything in my home due the the huge cache of zero day exploits the NSA were hoarding, rather than reporting, until they got leaked.
Who to trust? American Software? Ask the NSA, they will recommend it.
If the russians want to spy, they at least want to spy on the government not on the people.
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:
From real life to gaming VR I've never heard of anyone being able to dispel suspicious.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
"Kaspersky Lab cannot be trusted to protect critical infrastructure"
Whereas the US government is totally trustworthy. /sarc
Enjoy life! This is not a dress rehearsal.
why ask? are they not already sharing everything? I really really don't buy all the we are innocent BS from every american company... Apple is a good example... I bet the whole thing with the phone unlocking was a big publicity stunt for both Apple, NSA and the company that "opened" the phone... Geez... give us a break... the rest of the world is not that stupid!
Some speculate that Kaspersky, [...] kept his Soviet-era intelligence connections.
No shit. Of course he did, you have to be a total idiot not to have connections to the intelligence sphere of the country you are operating in if you own a company in the security industry.
The question should not be if he has connections. That's a given. You think McAfee has no such connections? The question is if they affect the product he is selling in a technically meaningful way. That he keeps such connections for the purpose of sales is clear.
But hey, digging deeper than a sensationalist quote has fallen out of fashion, hasn't it?
Assorted stuff I do sometimes: Lemuria.org
Russia is a kleptocracy, and it's absurd to think they could not put the screw on Kaspersky. While they are based in or have assets in Russia, I certainly wouldn't use them. End of story.
If Kaspersky resisted, it'd be bullets and polonium tea all around. Simple as that.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
It is obvious to anyone who isn't an idiot that the Democrats in American Government have listened far too much to people like Dmitri Alperovitch.
I, for one, wouldn't let the likes of "Crowdstrike" anywhere near my network for any reason whatsoever.
For suing microsoft over av.
I use Kaspersky as my primary AV. I went through the same thought process (although without the enormous resources of the US gov't) and found no reason to believe that on balance their products are inferior to the equivalent (major) US products. Kaspersky has to operate in Russia, so some collaboration with Russian military, intelligence, and politicos is a necessity. The questions can be divided into several categories. First rule: follow the money. What are their Russian sales as a % of their total? (I am aware (why wasn't this brought up, IDK, it seems relevant) that Kaspersky and Putin have been "seen together" on numerous occassions, they're not strangers). The second question is: is there a meaningful difference between the carrots and sticks that the Russkies can put onto the company, the executives/decision/policy makers of Kaspersky compared to those office holders in other AV companies? I'd guess marginally, there is. So the follow up question is what sort of structure, formal structure, has Kaspersky instituted to prevent direct Russian government intervention? (eg., 3rd party review and subsidiary (US) independence). The other category of questions are in the WTF? category: WTF is the US govt DOING using commercial products when it OBVIOUSLY should be able to provide it own for its own?? There's something seriously wrong with a government that spends as much on Defense as the US does, but is unable (or unwilling) to provide for the common defense. Makes me wonder which commercial products they use to encrypt their communications.
What's wrong with this picture? I chose Kaspersky because it is better than the alternatives. I can envision that certain users would come to a different conclusion, but its hard for me to credit the US Govt as being competent enough to reach any valid conclusion. I suspect its just more political as usual.
Pressuring Australia and UK not to buy their products.
So now software as well? Not the first time an Israeli company had to show and tell as well.
Remember when Norton released bloatware, and McAfee false positives - they gave it all to Kaspersky who are the only company to break ransomware with a public commentary.
USA companies should buy the best, as objectivity independently rated. In any case soon AV companies will have to expand their base offerings to prevent ransomware - rather than sell it as an extra.
he will tweet a 3am patch for the backdoors
Oh, then that's what Covfefe was !
That's why "The president and a small group of people know exactly what he meant [by covfefe]" !
It was a super secret code word to fix a vulnerability in Microsoft Windows before the Petya ransomware spreads ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
the only av software that detected the rootkit was .....ya and you want them to expose themselves to the nsa
I'm not sure what looking at the source gains.
Just like keeping two sets of books. They could easily have clean source freely available to anyone to look at and a slightly modified version that they actually use. You could not tell the difference unless you compile the source yourself. Is Kaspersky offering to allow them to compile it themselves and distribute to Americans that way?
because, as we've learned time and again, they are susceptible to government interference. Accusations from the U.S. gov are completely baseless and without merit, in particular since we've learned how they use CIA and NSA for sabotage themselves, against countries they call allies.
The Russian apparatchiks in the White House?
Or the freedom fighters in Deep State?
-- Tigger warning: This post may contain tiggers! --
What would be the point? they can upload security updates at any time to upload nefarious programs/functions. I get almost 6 Mb a day security updates from Norton how do i know they are not acting hand in hand what their government ? Or they are acting with someone else?
Jack of all trades,master of none
Kaspersky Lab should show it's source code to *everyone*, not just the U.S. government. It's absurd to even contemplate relying on a security product for which the source code is not publicly available. This case should highlight how incredibly absurd it is that proprietary software still exists in our society.
Sure, I will show you my code, minus any back doors or special features. You'll never know...two sets of code one for me and one for you.
Don't look at the NSA, look at the Russians!
Requiem for the American Dream