Slashdot Mirror
US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com)
The U.S. General Services Administration has removed Kapersky Lab from its list of approved vendors for federal systems, which also eliminates the discounts it previously offered to state governments. Long-time Slashdot reader Rick Zeman writes:
"The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."
The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."
The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
was russian security software on the gsa in the first place? that's like outsourcing handling of the 'football' and cloud storage of launch codes to the fsb.
They all cooperate to some degree with all larger governments. They do not have a choice, governments have far too much power simply because they are large customers. Assuming otherwise is exceptionally naive. Of course, there are limits. No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through. They cannot afford that. Making it easier for unknown malware is a different thing. In the end, as long as the exposure-risk for them is small, AV vendors will cooperate with the criminally-minded government agencies that modern governments seem to treasure so much. Governments, unfortunately, are yet again in the process of becoming the enemy of not only their own citizens, just like history never happened.
The one thing we can now be reasonably sure of is that Kaspersky will now stop cooperating with the US government, which, in my book, makes their products better than what the competition has.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The possibility that Kapersky Lab is beholden to the Russian government is real.
Yes, yes, I know the same can be said for American based "security" companies, but it's more likly they are beholden to American spy agencies.
If you want news from today, you have to come back tomorrow.
The cyber cold war begins....
"The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
I'm not a security expert, but I don't know that this would necessarily sooth me. For example, perhaps the "backdoor" is devilishly obscured. Or, perhaps future exploits of a particularly tricky and secret nature will mysteriously not be added to whatever library Kaspersky's stuff uses. And then there is the issue of regular software updates, does the US government have to check the code with a fine tooth comb every time - this alone would be problematic.
I mean, come on! To imagine that the Russians would not at least TRY to leverage the Kaspersky install base is ignorant.
If you want news from today, you have to come back tomorrow.
Well then, we'll just switch to the cheaper Chinese stuff.
Have gnu, will travel.
"...they're going to use Symantec? Score!"
https://www.us-cert.gov/ncas/a...
Software built by Russian companies is backdoored by Russian spooks.
Software built by American companies is backdoored by American spooks.
Software built by Chinese companies is backdoored by Chinese spooks.
Does this surprise anyone at all?
They most certainly do for Linux!
APK
P.S.=> RoTfLmAo... apk
RUSSIAN SCUM!
On telling the world about the Equation Group, Stuxnet and a lot of other malware.
https://en.wikipedia.org/wiki/...
Domestic spying is now "Benign Information Gathering"
i wonder what the US govt thinks of DR.Web - less known Russian based AV vendor
https://www.privateinternetacc...
Only one party voted against outsourcing it outside Sweden, the Sweden democrats. Another party decided to not vote at all, the Left party, possibly they were against it but refused to vote like the Sweden democrats with that result. The rest voted for it. .. and well.. that was good?
"The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
I'm not a security expert, but I don't know that this would necessarily sooth me. For example, perhaps the "backdoor" is devilishly obscured. Or, perhaps future exploits of a particularly tricky and secret nature will mysteriously not be added to whatever library Kaspersky's stuff uses. And then there is the issue of regular software updates, does the US government have to check the code with a fine tooth comb every time - this alone would be problematic.
I mean, come on! To imagine that the Russians would not at least TRY to leverage the Kaspersky install base is ignorant.
I mean, come on! to imagine that the NSA would not at least TRY to leverage the software and HARDWARE of US controlled companies is naive. If your concerned about US government spying Kaspersky sounds like the better option. Russia blocking US software and hardware seems to be the smart option. who are you more afraid of?
Either get the state discount (taxpayer) or local admin shoulders the cost (taxpayer) or you use an inferior product (McAfee, srsly?).
Until they stick their toes out of their collective mouth and ditch Mocrosoft (and mind you, Apple, which are evil in a different way).
But what would you expect from this bunch of drooling morons, greased to the tune of industry lobb^H^H^H^Heducation?
National origin doesn't matter, people simply can't have full faith in closed source. All this propagandizing does is make modern man more equivalent to the cave man. If Kaspersky is offering source review with compilation on trusted systems, with sample submissions and the like running through trusted networks, then it's probably more trustworthy than others. People will remain clubbing it out like cave men, until they fundamentally change their markets and valuations, along with their software. Software bound to the confines of a society thriving on corruption bleeds that same corruption. Our own abhorrence towards such a state of being should inspire us to try and change it for the better, despite the likelihood of ending up as its victims ourselves.
as is the case for much of the accusations coming out of America -- lies and propaganda to serve their self-interest. What's been definitely proven regarding to NSA and CIA dictates what the actual situation is: you cannot use American security and communication products and services.
Someone forgot to pay their protection money.
Better: "US Govt. Removes Kaspersky from Approved Vendors List".
Il n'y a pas de Planet B.
The US Government MUST of, at-least internally, had discussions about this very subject before all the Russian hacking came around. I mean Kaspersky has been around for at-least a decade, plenty of time to root everyone PC. I am not saying Kaspershy is Putin's lap dog, but I want to know what the discussions were before this whole fiasco happened and what evidence shown that Kaspersky is dangerous now.
I mean it feels like Putin is having us run around in circles while all he is doing is sitting having a vodka:P/p?
Seems 'merica got caught with their hands in the cookie jar...now lasting out at others to divert attention from the back doors in 'merican products used worldwide...Cisco, Microsoft, c'mon , can y'all name a bunch of others!?
Found the Russian.
National origin doesn't matter, people simply can't have full faith in closed source.
People can't have full faith in open source either unless they are either capable of reviewing all the code themselves or can somehow establish a trusted chain of custody for all the code and tools to compile it. Most people cannot do the former and only large organizations realistically have the resources to do the later. There are undeniably huge advantages to open source but code security doesn't stand up to strict scrutiny in real world use for non-trivial use cases. I don't compile my software like most people and I'm not remotely qualified to review the code. So from that standpoint there is essentially no difference to me between open and closed source as an end user. There are great advantages to open source but this isn't one of them.
GSA should require all computers be locked in a bathroom closet
"there's a massive number of SYSTEM/Admin services that run on almost all systems by default" - by Anonymous Coward on Monday July 24, 2017 @03:14AM (#54865087)
Not on systems that use a security guide I wrote 11++ years ago (principals for securing services still work & easy to test OR reset if a lesser logon entity doesn't work) that secures that very thing https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ (that "very thing" being DEFAULT logon user entity SYSTEM)...
"With Linux, we know China has the source code but no way to trivially inject new code" - by Anonymous Coward on Monday July 24, 2017 @03:14AM (#54865087)
What happens to ANDROID (yes, it's a Linux) shows quite otherwise, lol... exploit after exploit almost weekly!
APK
P.S.=> The rest of your 'doubletalk' I could get into also but I haven't had my coffee yet so, you catch a break on that much here... apk
If the US, Russian, Chinese, North Korean governments, and the EFF were to all certify a particular piece of open source software, then I would say that I am pretty safe in not having to analyze it myself. Clearly this hasn't happened yet, but open source at least makes it possible. It even makes it easy for outside experts (governmental or otherwise) to do their analysis which means that I might be able to pick and choose from a large set of outside experts that I trust. This is because any private or governmental entity could trivially set itself up to be such an expert. With efforts like Debian's reproducible builds, I may not even have to compile it myself. I can just verify the appropriate checksum(s)/signature(s) on the binaries that I downloaded from some random web site.
I can even see this as a commercial service. The equivalent of the current anti-virus industry (with yearly subscriptions) would probably be viable. They could compete on how fast they analyze new releases and how many bugs (security of otherwise) they find in the code. It would probably be necessary to embargo their reports on new releases for a short period to maintain an incentive for subscription and to give time for the original developers to fix the problem, but much like the anti-virus industry they would want to publicly release their results as well for PR purposes. Any large entity that used open source and didn't subscribe to some of these services would probably be considered negligent by its customers and might even be considered legally negligent as well. Obviously, not every piece of open source software would be considered important enough to draw such scrutiny, but I suspect that all of the major network facing open source software (server or client) would be viable for such treatment.
The above seems so obvious to me in retrospect that I wonder why it hasn't already happened. Perhaps there is a chicken and egg problem? There would be a fairly large up front cost for the initial checking of a major piece of software and no certainty that there would be a sufficient level of subscriptions to justify this cost (or pay for the lower costs of checking future releases). One solution might be to do a kickstarter campaign. I would be happy to contribute a modest sum ($100) if someone with expertise was to agree to check all releases of a major open source program for a year. It wouldn't even have to be a program that I used for that first year as I would want to encourage the creation of an industry of this type. Now you might argue that I should just give my money to the actual developers of the program. The problem with that is that I may be happy with the current feature set of a program, but would like more emphasis on checking for security problems (or QA in general). Nor would this allow me to select the people doing the checking so they were less likely to be in a position to be influenced by other organizations. If there are any security experts reading this, please consider trying this out. Other then the time to write up a proposal with your qualifications, it seems to me like you would have little to lose.
[Oh, I would also support a similar campaign to write documentation for a major open source software package (say Libreoffice) if there are any documentation writers out there.]
...
I've said it before and I'll say it again, US is a shithole.
Eugene Kaspersky is a KGB officer. He graduated from the KGB Academy where he studied cryptography.
This may be immaterial. Or not.
I worked for one of the most trusted security and authorization companies in the world and no, there were no back doors in the software*. Our small security team could checked every code checkin, test every product and had the final say on when a product was released**. The measure of our success was making sure the company was never in the news. We saw lots of stupidity, we saw lots of misunderstandings and we occasionally reviewed competitors products where vulnerabilities were so obvious they looked like malice, but nothing in our own products. So no, I don't believe all companies are pressured into backdooring their products.
*We did have one customer insist on putting a security vulnerability into the version we gave them but everyone who knew about it pushed back and we made damn sure it was unique to the one customer.
**We even killed an entire product once after a non-trivial amount of the companies R&D went into it because we couldn't secure it the way it was architected. Other than having to prove our position and hurt feelings it was accepted.
The swarm demands a war with Russia.
Ensure all assertions lead to this conclusion.
Kaspersky was actually the only AV that was finding shit, I guess NSA was pissed like hell. During my Norton times I got infected like 50 times.... Then switched to the dark side and nothing for years...