Slashdot Mirror
'US Intelligence Agencies Should Put Up Or Shut Up With Kaspersky Rumors' (csoonline.com)
itwbennett writes: As previously reported on Slashdot, U.S. intelligence agencies have warned against using Kaspersky software amid swirling rumors of ties between Kaspersky Lab executives and the Russian government. White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec. 'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products. The fact that the government hasn't done so makes it likely this is all just geo politics,' writes Rashid. 'There is enough FUD in the market without throwing in politics into decision-making. Organizations should focus on deploying the technology which best addresses their needs.'
Not an outright lie, more like some ignorant interpretation of the facts. A straw man to distract people from the Illegal hacking that our own government does to 'protect' us.
"Just" geopolitics. I like that.
It's merely two countries with vast nuclear arsenals and unstable leaders trying to destabilize each other. What could go wrong?
You are welcome on my lawn.
http://www.csoonline.com/artic...
'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products.
While I wholeheartedly agree with this statement, I will not be surprised if this administration uses the line, "Sharing more of what we already have divulged, will be tantamount to giving up our sources and methods.
BTW, this line was used by Obama administration as well, when they were talking about Russian involvement in last year's elections.
How it makes sense, I cannot figure out.
This time is no different. There is tons of smoke, and a despot with his hand near the wheel. Regardless of whether or not there is currently corruption, there is nothing stopping it from happening undetected in the future. We have been debating this situation here, at the executive level for over a year. I have been steadfastly against making a change (We use Kaspersky), but at a certain point it comes down to putting your name on the line certifying Kaspersky as safe. Are you comfortable with that? I'm not. So I had to give in. I'm not going to put my job on the line for a commodity security software.
You don't have to prove that Kaspersky is in bed with Russian intelligence to not want to use it for government computers.
Merely suspecting it might be is enough reason not to use it.
"That's the way to do it" - Punch
I have the info on why nobody should be using Kaspersky's software, and I don't have any classified intell. I'm about to tell you something that you've probably already known for 20 years:
Virus scanners are bullshit. If your security relies on executing totally untrusted code but hoping to have checked it against a blacklist first, then you have already lost. Your solution is stupid and you're a stupid person for thinking it might have worked.
The way to protect against viruses is to not run any code that you have no reason to trust. If you are having unprotected sex with a dozen strangers per day, you are going to get an STD even if you ask each stranger "hey, have you been checked out lately?" before each encounter.
Stop downloading and running random code. If you keep picking up strangers in bars, you're eventually going to get an STD. Maybe you've been lucky so far, but it's still just a matter of when. At a minimum, use a condom (run random untrusted code in a sandbox/VM/disposable) and accept that even protection isn't perfect. I'm not saying you need to be monogamous (only run code from the Debian repo) but that is the way to minimize risk. But geez, asking the strangers "have you been checked out lately" is not a serious solution in any way.
If you're using AV software, you are wasting your time. And if you're paying for AV software, you are wasting money.
And you already knew that. There are no surprises here.
They're worried about Made-in-Russia software running on Made-in-China hardware/firmware? HAHAHAHAHAHA.....
[nt]
File under 'M' for 'Manic ranting'
The problem that officials face is what to do with imperfect information. In the current environment, Russians messing with the U.S. election, an America-First President, and recent overseas terrorist attacks, who is going to decide not to act on even thin information? I doubt that the actual decision makers are most corporations are in a position to second-guess the U.S. government. The whole thing could just be thin information steamrolling because nobody wants to be the one to put a stop to things.
No need to worry. Most Americans don't take anything the White House has to say seriously, anyway.
So I looked but I can't find any places where Rashid has asked for similar disclosure of evidence of the so-called collusion with the Trump campaign.
if you install Kaspersky you are a sucker, like Moscow Donald's supporters
The correct term is 'useful idiot', get it right next time.
IN ALL SERIOUSNESS: I agree with TFA; if there is actual, independently verifiable PROOF that it's compromised by design, then the Feds should release that information. Alternately there are plenty of 'IT security researchers', and 'white hats' and plain old 'hackers' in this country (U.S.) that are more than capable of verifying whether it's spyware or not, with or without government help; where the hell are they with their reports on this?
They put up. They said that they don't trust them, and that's all they need do. They'd do the same for any other anti-virus product that they didn't trust.
End of Report, end of discussion.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I never worry that a Russian company is going to steal my ideas and compete against me for actual paying customers. Chinese or American companies I worry about. Getting fucked by a stupid American patent is something I definitely worry about and thanks to the NSA and now CIA I'm very concerned about made in the USA or even passed reasonably close to the USA. If Kaspersky was (and I doubt it) completely compromised by the Russian secret service then they seem to be doing a good job keeping it a secret. Maybe they are even more motivated to keep my information secret than a regular private company. I don't even see a down side here.
What if the NSA wants to make an exploit but needs help of anti-virus and network security vendors to keep the exploit secret. It is one thing to build something that works today and is undetectable it is quite another to make it undetectable 10 years from now when someone reboots a compromised VMware image and a traffic monitoring equipment starts inspecting the traffic out of the virtual machine. Does this mean Kaspersky is the only vendor not tainted by the NSA?
Just because they didn't give some random guy on the internet evidence, they must therefore have no evidence. Come on, man. I trust Kaspersky with my security about as much as I would trust John Wayne Gacy with my children. As programmers, you all should have seen this coming from 100 miles away. It would be trivially easy for the Russian government to use Kaspersky for all sorts of purposes, and they probably already do.
We in the US know that any government will exert as much pressure as possible on big well connected businesses (Microsoft, Google, etc) to provide as much information and intelligence work as they can get away with. However, these businesses happily push transparency reports and we can see the frequency at which our government tries and succeeds.
Knowing that any government will do this, we can assume the Russian intelligence agencies are doing the same things at roughly the same order of magnitude.
With this in mind, it is disingenuous of Kaspersky to say that they have never cooperates with the Russian government, and that they will never cooperate. In the US, Putin is portrayed as someone you don't say no to. Your life will be on the line otherwise, and you've now committed yourself to a sudden heart attack and death from "natural causes".
So the US is right to suspect that Russian can at any moment take control of the Kaspersky software. Maybe Mr Kaspersky won't be involved, but the government will exert force on the key underlings needed to do so. They will choose life or death, and a job isn't worth dying over.
There are consequences to being based in a country that, as a matter of normal practice, considers its companies to be an extension of the state. The question isn't so much; "do you trust Kaspersky" as "do you trust Putin's Russia" For me the answer is no! Does anyone believe that Kaspersky could resist a full out press from Putin for nefarious use of Kaspersky's huge power? He could only use it once and Kaspersky would be destroyed so there would never be evidence of it until a one-time use of the silver bullet was required. But the damage could be devastating like going cyber-nuke. For that matter do you trust Trump re: American anti-virus companies? For me the answer is the same, no! The only answer long term is to aggressively fund OSS efforts so they can openly produce competitive products. This is up to each of us to do in order to maintain some distance from those who would abuse the system.
...has its corporate base in a country with a government. That is because it 1) can be manipulated by the government, or 2) IS the government.
Because if that I only use free, open source AV.
U.S. companies knew Kaspersky issues for years. This didn't come out of the blue.
How are you going to verify if it's spyware or not?
Most likely the software is programmed to download automatic updates. This means that it could go from being benign to being a trojan overnight -- for whichever subset of IP addresses the people running the update servers want.
It's impossible to audit the security of autoupdating code; you're at the mercy of whoever controls the updates.
I keep hearing that the people responsible for stuff such as WMD in Iraq and the overthrow of the democratically elected governments of several countries in this last century are telling me not to use a certain product. I feel more and more inclined to install it. Just keep my antivirus of choice (Avira) and add on Kaspersky for the added security.
So the question is, "Who is more dangerous to you, personally, the KGB or the CIA/FBI/NSA?".
And that's assuming that I accept your assertion which, I admit, is plausible.
I think we've pushed this "anyone can grow up to be president" thing too far.
Sometimes, in intelligence, you act without explaining your motivations and reasons.
Think what you want to. Believe what you want to. The absolute right of any modern intelligence agency is to believe something is true without explanation.
The last thing that the intelligence world wants to do is tell every tom, dick, and harry out here how it spies on other nations and how it catches ppl/organizations.
I am amazed at all of the idiots calling for NSA to out themselves for what they do LEGALLY.
Even now, look at what is going on with trump investiation. Trump/family/admin continue to make a statement that is a lie. So, NSA will release a peice of evidence that refutes those lies, along with offers up another clue. Now, why do they not simply dump all of their data on ppl like Trump, Pence, Bannon, etc for their treason? Because to do so, would allow Russia and China to figure out how we spy on their spies and then get around us. That would be a disaster. The best thing that happens is when these top nations have inside information about POLICY/WHY, but not about the HOW. This has prevented a number of wars. But, once a nation like China get the HOW, then it will lead from this China's cold war with the west, to a full blown hot war, which could lead to nukes.
REAL BAD IDEA.
I prefer the "u" in honour as it seems to be missing these days.
If you're part of the US Government, then the answer is sure as hell Russia.
If you're a corporation in the United States or Europe, the answer is sure as hell Russia.
If you're a private citizen in the United States or Europe, then no one on either side gives a crap about you, so you can use what you want. Isn't it great being the insignificant bug beneath the heels of nations?
End of discussion. How many people compiled that SSL code? Millions. How many people actually read it. Apparently not too goddamn many.
Only the State obtains its revenue by coercion. - Murray Rothbard
Keep demanding what the intelligence agencies do and take their ignoring you as intentionally denying your wishes. Stay in school kids. Maybe read some history books.
Probably the Russians getting their Trump allies to put pressure on Kaspersky to bow to Putin.
His "personal enemy" had those words put in his mouth, but even if that was true then, it is unlikely to be true now.
any accusations that come out of the mouth of the American government should by default be considered lies and propaganda, with political motivation, simple as that.
You dont have to prove that ALL softwate developper in the U.S. is in bed with the cia/nsa to not want to use it, it is about risk. And thus you condemned all country to reinvent the wheel as no software whatsoever is trustable.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
While Rashid is right to challenge the Russophobic line inherent in this story (which draws from and is a repeat of the 'Russiagate' lies meant to distract the public from Hillary Clinton's 2nd presidential campaign loss and unwillingness to take sole credit for her choices which led to and explain that loss and stoke fear which could lead to war with Russia), Rashid misses the point that there is a great reason to reject Kaspersky's software: it's nonfree (user-subjugating, proprietary) software. This is the reason to reject any other nonfree software regardless of that software's purpose, certainly when said software purports to keep one safe from security threats such as malware.
Handing over Kaspersky source code to the US Government is no solution: regardless of whether Kaspersky is malicious this does nothing for the users of the program outside the US Government who deserve software freedom to be respected.
Malware is certainly worth looking out for and worth taking steps to avoid, but trusting one black box to keep one safe from the threats of another is no way to do this job. We should hire programmers to improve free software anti-malware solutions so computer users aren't put in a position of having to blindly trust one proprietor instead of another. Switching masters is not the course to freedom, liberating oneself from masters is.
Digital Citizen
US government is a child. They tried to steal Ukraine so they could use Crimea to launch attacks on Russia and control the Black Sea and Russia wouldn't have it. US government also tried to steal Syria by sponsoring terrorists like FSA, Al Nusra, and ISIS to oust Assad and Russia wouldn't have it. Now butthurt children of US government are doing everything they can to punish Russia such with sanctions, McCarthyism, and fake news.
US = shithole
You must not understand the nature of a covert agency. This like asking the President to always tell the truth,
There is no such thing are former checkist.
Meanwhile .... major US communication network management systems are written by Ukrainian and Russian developers and not a peep.
My cynical thoughts on Kaspersky: I'd rather another government have access to my data than my own.