US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com)

← Back to Stories (view on slashdot.org)

US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com)

Posted by EditorDavid on Sunday July 23, 2017 @04:30PM from the federal-funding's-finished dept.

The U.S. General Services Administration has removed Kapersky Lab from its list of approved vendors for federal systems, which also eliminates the discounts it previously offered to state governments. Long-time Slashdot reader Rick Zeman writes: "The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."

The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."

42 of 93 comments (clear)

Min score:

Reason:

Sort:

why the fuck by Anonymous Coward · 2017-07-23 16:42 · Score: 1

was russian security software on the gsa in the first place? that's like outsourcing handling of the 'football' and cloud storage of launch codes to the fsb.
How quaint by gweihir · 2017-07-23 16:43 · Score: 4, Interesting

They all cooperate to some degree with all larger governments. They do not have a choice, governments have far too much power simply because they are large customers. Assuming otherwise is exceptionally naive. Of course, there are limits. No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through. They cannot afford that. Making it easier for unknown malware is a different thing. In the end, as long as the exposure-risk for them is small, AV vendors will cooperate with the criminally-minded government agencies that modern governments seem to treasure so much. Governments, unfortunately, are yet again in the process of becoming the enemy of not only their own citizens, just like history never happened.
The one thing we can now be reasonably sure of is that Kaspersky will now stop cooperating with the US government, which, in my book, makes their products better than what the competition has.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:How quaint by Frosty+Piss · 2017-07-23 17:19 · Score: 2
  
  No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through.
  
  http://www.reuters.com/article...
  
  --
  If you want news from today, you have to come back tomorrow.
2. Re:How quaint by AHuxley · 2017-07-23 18:11 · Score: 3, Informative
  
  Re "No AV vendor will allow known government malware .. through."
  The US did consider that for Magic Lantern.
  https://en.wikipedia.org/wiki/...
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:How quaint by gweihir · 2017-07-23 19:28 · Score: 1
  
  I am aware of that discussion. What I meant by "known" is "the binaries and signatures are in the public" and that means everybody can find out whether an AV product detects it or not. The negative fallout of not detecting it in that situation would be disastrous for any AV company. Sure, initially, they could claim ignorance, but if they insist on non-detection, that would be another story. Also, somebody has to try the malware against the AV products. Not really difficult, one upload to VirusTotal is enough for that.
  Of course, as long as the binaries/signatures are not publicly available, AV vendors may get away cooperating with criminally-minded governments.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
4. Re:How quaint by gweihir · 2017-07-23 19:31 · Score: 3, Insightful
  
  Getting subverted by criminal means does not count as "allowing". It counts as having gotten compromised. Anyways, nobody in their right mind will use RSA products for security at this time. They have screwed up far too often in the last few years. (Yes, I am aware their stuff still gets used. Do not expect a working security mind-set anywhere where that is the case....)
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:How quaint by Anonymous Coward · 2017-07-23 20:06 · Score: 1
  
  the criminally-minded government agencies that modern governments seem to treasure so much.
  We call that normal police co-operation here, in the other side of the world. That said, many US AV vendors generally do co-operate with the US government, while the vendors from independent, small countries tend to avoid that particular hook. $-) (That's my patriotic marketing wink)
And for good reason... by Frosty+Piss · 2017-07-23 16:50 · Score: 4, Interesting

The possibility that Kapersky Lab is beholden to the Russian government is real.
Yes, yes, I know the same can be said for American based "security" companies, but it's more likly they are beholden to American spy agencies.

--
If you want news from today, you have to come back tomorrow.
1. Re:And for good reason... by Anonymous Coward · 2017-07-23 19:43 · Score: 1
  
  As history has abundantly demonstrated, being beholden to US TLAs is not necessarily better, certainly not in terms of risk of compromise and mass monitoring of US citizens. -PCP
2. Re: And for good reason... by KGIII · 2017-07-24 04:43 · Score: 1
  
  "These people," are the government. What are you on about?
  
  --
  "So long and thanks for all the fish."
Hmmmmm... by Frosty+Piss · 2017-07-23 16:57 · Score: 3, Interesting

"The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
I'm not a security expert, but I don't know that this would necessarily sooth me. For example, perhaps the "backdoor" is devilishly obscured. Or, perhaps future exploits of a particularly tricky and secret nature will mysteriously not be added to whatever library Kaspersky's stuff uses. And then there is the issue of regular software updates, does the US government have to check the code with a fine tooth comb every time - this alone would be problematic.
I mean, come on! To imagine that the Russians would not at least TRY to leverage the Kaspersky install base is ignorant.

--
If you want news from today, you have to come back tomorrow.
1. Re:Hmmmmm... by FooAtWFU · 2017-07-23 18:00 · Score: 1
  
  For example, perhaps the "backdoor" is devilishly obscured
  Heck, if you don't compile it yourself with a fully reproducible build process, the source could be a lie.
  
  --
  The World Wide Web is dying. Soon, we shall have only the Internet.
2. Re:Hmmmmm... by Anonymous Coward · 2017-07-23 20:07 · Score: 2, Interesting
  
  Depending on the development environment in question, for added fun, you could still have problems even if you compile it yourself. On the bright side, things like diverse double compiling might be helpful in this area. -PCP
3. Re:Hmmmmm... by phayes · 2017-07-24 00:07 · Score: 1
  
  Strawman. The USG delisting Kaspersky as an approved vendor in no way impacts what other countries can/will do. The impact of the delisting is limited to USG purchases.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
4. Re:Hmmmmm... by Megol · 2017-07-24 08:21 · Score: 1
  
  Not a strawman. He explicitly extends ("using[sic] that logic ...") the paranoid thinking to a logical conclusion. That doesn't mean that you have to agree with that extreme form of paranoia or that he implies that you do.
5. Re:Hmmmmm... by StikyPad · 2017-07-24 08:37 · Score: 1
  
  There's a limit to how obscure backdoors can be. At the end of the day, the backdoor has to either initiate or receive a connection, and that gives the game away. The problem is that monitoring connection logs is tedious, boring, and -- if you're paying someone competent -- expensive.
  Moreover, the risk/reward for creating and using a backdoor in security software doesn't make sense when the ability to exploit 0-days in the OS itself is so easy. Why blow your own hard-earned reputation when you can blow someone else's instead? Anyone with enough money can buy a 0-day and a payload (which is pretty much any nation state) and have as much access to any system as they desire until the vulnerability is discovered and patched/firewalled.
  
  --
  https://www.eff.org/https-everywhere
6. Re:Hmmmmm... by phayes · 2017-07-24 10:58 · Score: 1
  
  Using the "Every country in the world" bit is a ridiculous argument given that the context is explicitly the U.S. delisting a vendor from a country that has been shown to meddle in our election process. The USG delisting kaspersky has absolutely _no_ impact on other countries.
  So, yeah, it _is_ a strawman.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
No discount? by PPH · 2017-07-23 17:03 · Score: 5, Funny

Well then, we'll just switch to the cheaper Chinese stuff.

--
Have gnu, will travel.
Overheard at the FSB... by emil · 2017-07-23 17:16 · Score: 3, Informative

"...they're going to use Symantec? Score!"
https://www.us-cert.gov/ncas/a...
Well duh... by Reverend+Green · 2017-07-23 17:37 · Score: 5, Insightful

Software built by Russian companies is backdoored by Russian spooks.
Software built by American companies is backdoored by American spooks.
Software built by Chinese companies is backdoored by Chinese spooks.
Does this surprise anyone at all?
1. Re:Well duh... by aliquis · 2017-07-23 18:45 · Score: 2
  
  "As you know yourself you know others"
  Guess the software which really shouldn't be trusted is the American made one ...
Good work by AHuxley · 2017-07-23 18:09 · Score: 1

On telling the world about the Equation Group, Stuxnet and a lot of other malware.
https://en.wikipedia.org/wiki/...

--
Domestic spying is now "Benign Information Gathering"
dr.Web by D,Petkow · 2017-07-23 18:17 · Score: 1

i wonder what the US govt thinks of DR.Web - less known Russian based AV vendor
Do as we did in Sweden. by aliquis · 2017-07-23 18:41 · Score: 1

https://www.privateinternetacc...
Only one party voted against outsourcing it outside Sweden, the Sweden democrats. Another party decided to not vote at all, the Left party, possibly they were against it but refused to vote like the Sweden democrats with that result. The rest voted for it. .. and well.. that was good?
1. Re:Do as we did in Sweden. by Anonymous Coward · 2017-07-23 20:22 · Score: 2, Informative
  
  For those of you not familiar with Swedish politics, the Sweden "Democrats" are anything but. They're right-wing/racist/ultra-nationalist, with their origins in the White Power movement and the Swedish Nazis. (Fun fact: Sweden never outlawed the Nazi Party.) They're a minority in the Riksdag, and every other party with seats refuses to co-operate with them on any matter.
  The irony here is that SD are anti-EU and pro-Russian and they're attempting to score political points pretending to be against something that damages the EU and benefits Russia.
2. Re:Do as we did in Sweden. by Zontar+The+Mindless · 2017-07-23 20:25 · Score: 1
  
  Even a stopped clock is right twice a day.
  
  --
  Il n'y a pas de Planet B.
3. Re:Do as we did in Sweden. by AHuxley · 2017-07-24 01:11 · Score: 1
  
  Re Did Russia violate any Swedish interests lately, or are you guys still bitter over 1809?\
  Just the FRA wanting to keep its third party sigint agreement with the NSA, GCHQ.
  For that they have to show a good attitude.
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re:Do as we did in Sweden. by penandpaper · 2017-07-24 02:48 · Score: 1
  
  Fancy you. I just have a broken clock.
5. Re:Do as we did in Sweden. by aliquis · 2017-07-24 08:04 · Score: 1
  
  the Sweden "Democrats" are anything but
  DemocracyÂs flaw is that it allow the dictatorship of the majority. If you value the collective more than the individual that's fine. But I have a hard time accepting it. But that's a fact. And the Sweden democrats are just as much democrats as anything else. Any claim for them being anti-democrats beyond valuing the opinion by the Swedes higher than that of the non-Swedes (all national democratic parties should do exactly that) is complete bullshit simply by association.
  Regardless Sweden isn't a functional democracy.
  You can argue whatever EU itself is a democracy or not, the truth regardless is that many decisions will be made by the elite not in line with the will of the people both in the EU and in Sweden and that private public servants, consult groups and such will make decisions for the people without ever having been elected themselves.
  EU and Sweden haven't got complete freedom of speech or religion rights among others so it's not possible to say what you feel or want without consequences and hence people shut up.
  The largest Swedish media is paid for and ran by the state.
  The state also distribute money to publishers and organisations but put enforce ideological values for the later and has kinda been hinting about how they also want to do that with the later too.
  Our current government are suggesting that media shouldn't be allowed to for instance mention the national origin of a criminal. At all. They refuse to generate new statistics over criminality and the origin of those who commit the crimes too.
  The voting public in Sweden aren't entrusted the facts. They aren't allowed to get the information they need to understand the world. They aren't allowed to tell others how they feel. Chances are they won't be allowed to create interest groups for people who share their interests either (it's already in the UN race discrimination convention and Sweden as the progressive cluster-fuck it is of course always have to be the most obedient self-sacrificing nation there is.)
  So don't fool yourself. Sweden and EU aren't democracies. That would actually be ok if they were libertarian societies, but they aren't. The Swedish left aren't democrats. But the left never really have. For people like this AC "democracy" doesn't really mean "free country where you talk about everything and then vote about it", in his view "democracy" mean "positive rights at the cost of negative rights because that's better for the collective."
  He's most likely a socialist and that's how it is.
  
  They're right-wing/racist/ultra-nationalist
  The Sweden democrats are economical middle/center. Sweden have no economical right party in the government. They aren't authoritarian, all that is association play, because Hitler killed Jews anyone who want to preserve their people or their nation are for genocide is how he argue. There's nothing more to it. Never mind actually trying to enforce the destruction of a people which is what some anti-racists think is the best cure for racism actually _IS_ in the fucking genocide convention itself. That's racist.
  If by racist you mean "those people are trash" than that's of course not party of the program of the party. They describe themselves as a social-conservative party with nationalistic influences. The two later being pretty sane. Personally I'm unsure about socialism whatsoever. Socialism in the form of taxes and lots of money to the politicians and their decisions obviously grant them a lot of power (plus it's theft) so that's not really nice. The better alternative which would also beat direct democracy would be to steal the money as is already done but then giving it back straight up to the people but redistributed. At-least then you'd empower the people and we wouldn't have any authorities and rulers, We'd rule ourselves and make our own choices. I'm kinda willing to say that NO-ONE without family ties would spend the money the Swedish governme
6. Re:Do as we did in Sweden. by aliquis · 2017-07-24 08:22 · Score: 1
  
  Why all the Russophobia?
  Did Russia violate any Swedish interests lately, or are you guys still bitter over 1809?
  The left haven't even cared about having a fucking defense whatsoever.
  They don't want us to export weapons. They don't want us to make weapons. They don't want us to spend money on the defense. They rather send their most annoying screaming load-mouths over and hope that do the trick I guess.
  It's very simple, and it's not even about democracy and rights, you didn't had that in USSR either: For the Swedish communists USSR was good because they were communists. As of right now because communism aren't ruling but rather money and oligarchs and because Russia doesn't bend over to the world collective and because the puppet of the EU and UN and doesn't help with the NWO they don't like it.
  One thing about all the retarded stuff they are for and argue is that supposedly because we make weapons or are allies with the west / US we're responsible and hence should allow the Muslim invasion. That's an argument also used by the Muslim invaders themselves, but let's be honest, they aren't one of us and may be our enemies and have their own interests not in line with ours so that's understandable for them.
  Anyway, the argument goes that because US/Nato/west interfere in their country we should let him in.
  But on the same time we should be allied with NATO! (and/or the EU) Why? Because we've got so shitty defense and they don't want nationalism.
  But of course if we're allied with and actively participating with say the US which lets face it is a huge part of the reason there's way in those areas to begin with (and if not for them then French and GB influences before that), so then we become the fucking cause of the flows which they can then use as an excuse for the genocide of our people and stealing our countries and freedom.
  If however Sweden remained neutral, sovereign and had its own defense and didn't participated in those wars then what would that excuse would be turned into nothing but nothingness.
  Now Germany is so fucked up and ruled by such sui-genocidal socialist traitor politics and filled of non-Germans that one don't want to have that piece of shit as part of your "club", and Sweden it'self is about as bad (slightly more free but a shitload of bad immigrants) that our neighboring nations may not be interested. But if one had done what I would prefer over the EU and Nato option, to instead form a Nordic federation of say Iceland, Norway, Sweden, Denmark, Finland, Estonia and possibly other Baltic nations and/or Poland and such too then we'd be powerful enough by ourselves and could just ignore the EU for politics (but possibly for trade) and NATO and Russia wouldn't have to worry because it's not like we would go attack Russia and on the other hand we'd become more of a resistance than Finland and especially the Baltic states could put up alone. The Baltic states of course are protected by NATO as is whatever that's worth but Finland right now aren't. So Finland is alone.
  It's all politics and not the actual risk of Russia attacking. The most likely victim of a Russian attack in Sweden would be to take Gotland but beyond that why bother? Unless the goal is all of Scandinavia.
  I also assume it's an excuse and something to put up fear against rather than the Muslim and African invaders.
  If you can paint Russia as what's to be afraid of maybe you'd ignore the Muslims.
  If nothing else because the Sweden democrats see Putin as a good leader due to sovereign Russia and them not bending over to generating a world government with the same leaders of everything they can also claim that "oh but they are supporting the enemy!" while they too support the enemy (in that case the Muslims and the EU and globalism and themselves), but the thing is you're not allowed to talk about the former enemy of those and as for the others far from everyone see and understand they are the enemy so that doesn't matter.
  So if given a c
7. Re:Do as we did in Sweden. by aliquis · 2017-07-24 09:56 · Score: 1
  
  .. kinda telling none of the idiots who commented my comment focused on what had actually happened: That information supposed to be controller by the authorities were leaked abroad but instead focused on the one party which was against allowing that to happen in the first place. .. All focus on the party, none on the actual subject .. .. which also explain how the Swedish parliament & media work, but it's so retarded.
8. Re: Do as we did in Sweden. by Whiteox · 2017-07-24 15:41 · Score: 1
  
  Yeah!? Well here in Oz, you can buy Nazi Goering noodles in almost any supermarket. That's about as Nazi as you can get.
  
  --
  Don't be apathetic. Procrastinate!
Re:Cyber Cold War by Anonymous Coward · 2017-07-23 19:01 · Score: 1

when the next big war starts, a lot of computers all over the world are rapidly going to get pwned.
once computers and the internet become "the enemy" people are just gonna have to turn them off!
as long as people only use computers and the internet for entertainment, everything will be fine. if people start using computers and the internet for important things like critical infrastructure or national defence then there will be big trouble!
Re:Cyber Cold War by Anonymous Coward · 2017-07-23 19:42 · Score: 2, Insightful

Yeah, good thing Hillary wasn't elected. She wouldn't have been a proper doormat for Putin.
How to trust? by pntkl · 2017-07-23 19:43 · Score: 3, Interesting

National origin doesn't matter, people simply can't have full faith in closed source. All this propagandizing does is make modern man more equivalent to the cave man. If Kaspersky is offering source review with compilation on trusted systems, with sample submissions and the like running through trusted networks, then it's probably more trustworthy than others. People will remain clubbing it out like cave men, until they fundamentally change their markets and valuations, along with their software. Software bound to the confines of a society thriving on corruption bleeds that same corruption. Our own abhorrence towards such a state of being should inspire us to try and change it for the better, despite the likelihood of ending up as its victims ourselves.
1. Re:How to trust? by pntkl · 2017-07-23 21:03 · Score: 1
  
  I'll agree they have fool faith, bad faith, but not full faith, good faith.
Re:Another tidbit pearl of wisdom... apk by Zontar+The+Mindless · 2017-07-23 19:44 · Score: 1

Thanks for posting the stupidest thing I've read so far today.

--
Il n'y a pas de Planet B.
Crap Headline by Zontar+The+Mindless · 2017-07-23 20:24 · Score: 1

Better: "US Govt. Removes Kaspersky from Approved Vendors List".

--
Il n'y a pas de Planet B.
Re:Cyber Cold War by jellomizer · 2017-07-23 20:59 · Score: 2

Our network is a critical infrastructure.
Nearly all communication ends up on the internet in some way.
A nation wide internet outage would cripple us, and make us prone to physical attack and demoralized the nation.
This isn't the 1980's where networked computers are used by a few egg heads to discuss Star Trek anymore.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
How did Kaspersky get the contracts before? by WarlockD · 2017-07-23 21:54 · Score: 1

The US Government MUST of, at-least internally, had discussions about this very subject before all the Russian hacking came around. I mean Kaspersky has been around for at-least a decade, plenty of time to root everyone PC. I am not saying Kaspershy is Putin's lap dog, but I want to know what the discussions were before this whole fiasco happened and what evidence shown that Kaspersky is dangerous now.
I mean it feels like Putin is having us run around in circles while all he is doing is sitting having a vodka:P/p?
1. Re:How did Kaspersky get the contracts before? by dunkelfalke · 2017-07-23 22:09 · Score: 2
  
  Must of what? Apples?
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
No advantage for code security by sjbe · 2017-07-23 23:25 · Score: 1

National origin doesn't matter, people simply can't have full faith in closed source.
People can't have full faith in open source either unless they are either capable of reviewing all the code themselves or can somehow establish a trusted chain of custody for all the code and tools to compile it. Most people cannot do the former and only large organizations realistically have the resources to do the later. There are undeniably huge advantages to open source but code security doesn't stand up to strict scrutiny in real world use for non-trivial use cases. I don't compile my software like most people and I'm not remotely qualified to review the code. So from that standpoint there is essentially no difference to me between open and closed source as an end user. There are great advantages to open source but this isn't one of them.