Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com)

Posted by EditorDavid on from the closed-source-world-problems dept.

Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports: Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...

Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.

19 of 182 comments (clear)

  1. Buy American? by Frosty+Piss · · Score: 2

    Beyond the paranoia, shouldn't American strive to buy American if there is an available competing product? I'm not "flag waving", but it does seem like at least one way to contribute to the American economy in some way.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Buy American? by Anonymous Coward · · Score: 3, Insightful

      What happens when you buy American? The "American" company that has it's actual headquarters in Ireland or the Bahamas (on paper at least) shifts it's profits into a Swiss bank account and then funnels the money back via a subsidiary in the Netherlands, helping no-one but their C-level executives.

    2. Re:Buy American? by sit1963nz · · Score: 2, Insightful

      The same argument then applied to every country who buys anything FROM the USA.

      There is over US$2 Trillion in exports to be put at risk by other countries doing the same.

      Does the USA really want to be locked out of 80% of the worlds economy and 94% of the worlds customers ?

    3. Re:Buy American? by fuzzyfuzzyfungus · · Score: 2, Interesting

      It isn't just AV outfits. I don't know how much arm-twisting this originally may have involved; but Microsoft will let suitably qualified government customers look at the code. Given that the people who don't respect your copyrights have access to pirated versions anyway; and you don't really want "Security" to be an automatic winning argument against using your product, I imagine that it's not too hard a case to make.

      What I wonder more about is how much this access actually helps those who have it. Antivirus products in particular, and reasonably complex software in general, receive vendor updates that can, and sometimes do, substantially alter their behavior quite frequently(and often in response to serious security holes, so you can't just adopt a blanket policy of sitting on all updates for 18 months); so if you want to stick to the carefully hand-reviewed stuff, you'll be so far out of date that random botnets and commercially motivated attackers will be nibbling on you; but if you want timely signature updates and security patches you essentially end up trusting the vendor to not slip something nasty into some urgent auto-update.

    4. Re: Buy American? by nick_davison · · Score: 4, Insightful

      So the federal government should only buy American where comparable American products exist?

      But you start playing the protectionist game and other countries' governments may return the favor you've shown to their economies by ordering non American whenever a comparable product exists.

      How well do you think Lockheed and Boeing will do when they're shut out of all European defense contracts because EADS, British Aerospace and SAAB all make comparable products?

      How much do you think the already massively cost overrunning F-35 will cost when you can only spread the development cost over US only sales? It's a project that only got off the ground because they figured in export sales to people like the U.K.

      It seems ironic that one faction within the US believes that a free market with minimal government involvement to skew that market is the key to success... except when it's politically expedient to add extra federal process to avoid a free market.

  2. Re:Trump is cool by gweihir · · Score: 2, Interesting

    No moderation option "-1 Moron", so posting it instead.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Closed source security software by fred6666 · · Score: 5, Insightful

    Why should anyone trust closed source security software in the first place?

  4. Doesn't matter by mhkohne · · Score: 3, Insightful

    Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.

    Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
    1. Re:Doesn't matter by Anonymous Coward · · Score: 5, Insightful

      So we shouldn't trust a Russian company because they may or may not have ties to the Russian government to do "bad things"

      But we have plenty of evidence the NSA has actually done real bad things and forced US companies to help and enable them to do it.
      So clearly we can't use any American software either.

      Where should we get our software from now?

    2. Re:Doesn't matter by Frosty+Piss · · Score: 2

      Just as I understand China not wanting to take MS at it's word ...

      Hah! I get it, MS Word!

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:Doesn't matter by BlueStrat · · Score: 2

      The major difference between the NSA and Russia is NSA will want every computer in the USA to keep functioning whereas in a time of war Russia would want every computer in the USA to stop functioning.

      Not sure that's been true for some time, if ever regarding the USA (government) wanting every computer in the USA to keep working. I believe just the opposite, that the US government views the US population as at least as much, if not more, of a threat than any foreign state, and wants the ability to hack into and/or shut down any civilian/private/individual network or computer in the US, and is so afraid of the population that it's willing to sacrifice security vs foreign states to obtain it.

      So far they've demonstrated a willingness...nay, a blatantly-cavalier attitude towards allowing back-door-able bugs to remain or be deliberately inserted into software to compromise & weaken security sold to and used by the general public.

      They keep telling us through their actions that they consider the US population enemies and potential enemies. If they persist, many in the population will begin to believe it themselves, and act accordingly.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  5. No fucking way by Dunbal · · Score: 2

    The government is free to write its own anti-virus software.

    --
    Seven puppies were harmed during the making of this post.
  6. Would a US company do the same? by Zemran · · Score: 2

    How many US companies would want to show their source code to the Russian government? The Russia government has a far more trustworthy record in this area. Most malware now is based on code from the NSA. I think Kaspersky should not trust the US government and by doing so they become less trustworthy. If they rolled over on this how can we trust them not to allow changes to their code?

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
  7. Offered in 2006 by AHuxley · · Score: 3, Informative

    "Russian anti-virus CEO offers up code for US govt scrutiny"
    http://hosted.ap.org/dynamic/s...
    "... ready to have his company's source code examined by U.S. government officials"

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Offered in 2006 by AHuxley · · Score: 3, Informative

      Cyber spying risks the future of the internet (Nov 7 2013)
      http://www.smh.com.au/it-pro/s...
      We are opening an office in [Washington] DC for this reason. We will send our source code, you can check our source code. You're welcome."

      --
      Domestic spying is now "Benign Information Gathering"
  8. Re:Who would install Putin's "anti-virus" ? by king+neckbeard · · Score: 2

    Because Putin's anti-virus would be the one most likely to not have NSA backdoors, which is what an American citizen should be concerned about.

    --
    This is my signature. There are many like it, but this one is mine.
  9. Beware Of Backdoors by nick_davison · · Score: 2

    It's important that the US government, the primary creator of forced backdoors and exploits, can make sure code doesn't have... oh.

    Now, if you'll excuse me, I've got to go and patch everything in my home due the the huge cache of zero day exploits the NSA were hoarding, rather than reporting, until they got leaked.

  10. Trustworthy? by bradley13 · · Score: 3, Insightful

    "Kaspersky Lab cannot be trusted to protect critical infrastructure"

    Whereas the US government is totally trustworthy. /sarc

    --
    Enjoy life! This is not a dress rehearsal.
  11. connections by Tom · · Score: 2

    Some speculate that Kaspersky, [...] kept his Soviet-era intelligence connections.

    No shit. Of course he did, you have to be a total idiot not to have connections to the intelligence sphere of the country you are operating in if you own a company in the security industry.

    The question should not be if he has connections. That's a given. You think McAfee has no such connections? The question is if they affect the product he is selling in a technically meaningful way. That he keeps such connections for the purpose of sales is clear.

    But hey, digging deeper than a sensationalist quote has fallen out of fashion, hasn't it?

    --
    Assorted stuff I do sometimes: Lemuria.org