Slashdot Mirror
'US Intelligence Agencies Should Put Up Or Shut Up With Kaspersky Rumors' (csoonline.com)
itwbennett writes: As previously reported on Slashdot, U.S. intelligence agencies have warned against using Kaspersky software amid swirling rumors of ties between Kaspersky Lab executives and the Russian government. White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec. 'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products. The fact that the government hasn't done so makes it likely this is all just geo politics,' writes Rashid. 'There is enough FUD in the market without throwing in politics into decision-making. Organizations should focus on deploying the technology which best addresses their needs.'
Not an outright lie, more like some ignorant interpretation of the facts. A straw man to distract people from the Illegal hacking that our own government does to 'protect' us.
http://www.csoonline.com/artic...
This time is no different. There is tons of smoke, and a despot with his hand near the wheel. Regardless of whether or not there is currently corruption, there is nothing stopping it from happening undetected in the future. We have been debating this situation here, at the executive level for over a year. I have been steadfastly against making a change (We use Kaspersky), but at a certain point it comes down to putting your name on the line certifying Kaspersky as safe. Are you comfortable with that? I'm not. So I had to give in. I'm not going to put my job on the line for a commodity security software.
You don't have to prove that Kaspersky is in bed with Russian intelligence to not want to use it for government computers.
Merely suspecting it might be is enough reason not to use it.
"That's the way to do it" - Punch
I have the info on why nobody should be using Kaspersky's software, and I don't have any classified intell. I'm about to tell you something that you've probably already known for 20 years:
Virus scanners are bullshit. If your security relies on executing totally untrusted code but hoping to have checked it against a blacklist first, then you have already lost. Your solution is stupid and you're a stupid person for thinking it might have worked.
The way to protect against viruses is to not run any code that you have no reason to trust. If you are having unprotected sex with a dozen strangers per day, you are going to get an STD even if you ask each stranger "hey, have you been checked out lately?" before each encounter.
Stop downloading and running random code. If you keep picking up strangers in bars, you're eventually going to get an STD. Maybe you've been lucky so far, but it's still just a matter of when. At a minimum, use a condom (run random untrusted code in a sandbox/VM/disposable) and accept that even protection isn't perfect. I'm not saying you need to be monogamous (only run code from the Debian repo) but that is the way to minimize risk. But geez, asking the strangers "have you been checked out lately" is not a serious solution in any way.
If you're using AV software, you are wasting your time. And if you're paying for AV software, you are wasting money.
And you already knew that. There are no surprises here.
They're worried about Made-in-Russia software running on Made-in-China hardware/firmware? HAHAHAHAHAHA.....
It makes perfect sense if it was actually a complete fabrication
File under 'M' for 'Manic ranting'
The problem that officials face is what to do with imperfect information. In the current environment, Russians messing with the U.S. election, an America-First President, and recent overseas terrorist attacks, who is going to decide not to act on even thin information? I doubt that the actual decision makers are most corporations are in a position to second-guess the U.S. government. The whole thing could just be thin information steamrolling because nobody wants to be the one to put a stop to things.
No need to worry. Most Americans don't take anything the White House has to say seriously, anyway.
if you install Kaspersky you are a sucker, like Moscow Donald's supporters
The correct term is 'useful idiot', get it right next time.
IN ALL SERIOUSNESS: I agree with TFA; if there is actual, independently verifiable PROOF that it's compromised by design, then the Feds should release that information. Alternately there are plenty of 'IT security researchers', and 'white hats' and plain old 'hackers' in this country (U.S.) that are more than capable of verifying whether it's spyware or not, with or without government help; where the hell are they with their reports on this?
They put up. They said that they don't trust them, and that's all they need do. They'd do the same for any other anti-virus product that they didn't trust.
End of Report, end of discussion.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
BTW, this line was used by Obama administration as well, when they were talking about Russian involvement in last year's elections.
How it makes sense, I cannot figure out.
I recall that. If one wants the gov to 'put up or shut up' regarding evidence for Kapersky, they should want the same regarding evidence regarding Trump and Russia, but the media seems to be fine with insinuations, a lot more to assume that way.
I never worry that a Russian company is going to steal my ideas and compete against me for actual paying customers. Chinese or American companies I worry about. Getting fucked by a stupid American patent is something I definitely worry about and thanks to the NSA and now CIA I'm very concerned about made in the USA or even passed reasonably close to the USA. If Kaspersky was (and I doubt it) completely compromised by the Russian secret service then they seem to be doing a good job keeping it a secret. Maybe they are even more motivated to keep my information secret than a regular private company. I don't even see a down side here.
What if the NSA wants to make an exploit but needs help of anti-virus and network security vendors to keep the exploit secret. It is one thing to build something that works today and is undetectable it is quite another to make it undetectable 10 years from now when someone reboots a compromised VMware image and a traffic monitoring equipment starts inspecting the traffic out of the virtual machine. Does this mean Kaspersky is the only vendor not tainted by the NSA?
Suppose that the information was retrieved from the SSL connection to Kapersky's servers. If so, then they'd have admitted that they either have compromised Kapersky's certificates (unlikely) or they have a standard MITM attack vector for all SSL connections (a lot more likely, as it's based on trust)
Either reveal is bad for national security, so they truly shouldn't say more. I personally haven't used Kapersky ever, as it was a 100% Russian product with root capabilities (well, on windows everything has root) that frequently called home to be at all useful.
The cesspool just got a check and balance.
There are consequences to being based in a country that, as a matter of normal practice, considers its companies to be an extension of the state. The question isn't so much; "do you trust Kaspersky" as "do you trust Putin's Russia" For me the answer is no! Does anyone believe that Kaspersky could resist a full out press from Putin for nefarious use of Kaspersky's huge power? He could only use it once and Kaspersky would be destroyed so there would never be evidence of it until a one-time use of the silver bullet was required. But the damage could be devastating like going cyber-nuke. For that matter do you trust Trump re: American anti-virus companies? For me the answer is the same, no! The only answer long term is to aggressively fund OSS efforts so they can openly produce competitive products. This is up to each of us to do in order to maintain some distance from those who would abuse the system.
...has its corporate base in a country with a government. That is because it 1) can be manipulated by the government, or 2) IS the government.
Because if that I only use free, open source AV.
Suppose that the information was retrieved from the SSL connection to Kapersky's servers.
No one is asking them for info on how they may have got the stuff. All we want is *the* stuff. They will never divulge details [possibly] because this information is fake.
How are you going to verify if it's spyware or not?
Most likely the software is programmed to download automatic updates. This means that it could go from being benign to being a trojan overnight -- for whichever subset of IP addresses the people running the update servers want.
It's impossible to audit the security of autoupdating code; you're at the mercy of whoever controls the updates.
I believe there is an investigation right now into whether there is evidence of collusion between Trump and Russia.
So the question is, "Who is more dangerous to you, personally, the KGB or the CIA/FBI/NSA?".
And that's assuming that I accept your assertion which, I admit, is plausible.
I think we've pushed this "anyone can grow up to be president" thing too far.
If the only way to get said information is to break SSL....
The cesspool just got a check and balance.
I believe there is an investigation right now into whether there is evidence of collusion between Trump and Russia.
You are being entirely too sensible - knock it off.
#DeleteChrome
The last thing that the intelligence world wants to do is tell every tom, dick, and harry out here how it spies on other nations and how it catches ppl/organizations.
I am amazed at all of the idiots calling for NSA to out themselves for what they do LEGALLY.
Even now, look at what is going on with trump investiation. Trump/family/admin continue to make a statement that is a lie. So, NSA will release a peice of evidence that refutes those lies, along with offers up another clue. Now, why do they not simply dump all of their data on ppl like Trump, Pence, Bannon, etc for their treason? Because to do so, would allow Russia and China to figure out how we spy on their spies and then get around us. That would be a disaster. The best thing that happens is when these top nations have inside information about POLICY/WHY, but not about the HOW. This has prevented a number of wars. But, once a nation like China get the HOW, then it will lead from this China's cold war with the west, to a full blown hot war, which could lead to nukes.
REAL BAD IDEA.
I prefer the "u" in honour as it seems to be missing these days.
You can only sue the US government (in a US court) if you first get their permission.
I think we've pushed this "anyone can grow up to be president" thing too far.
You misunderstand.
If they don't give *ME* evidence, why should *I* trust them. They don't have a very good track record for trustworthiness.
When a liar tells you something, it might be true. But since you know he's a liar you shouldn't readily believe him without evidence.
I think we've pushed this "anyone can grow up to be president" thing too far.
As opposed to all the American companies that couldn't possibly be used by American government agencies for "all sorts of purposes"?
Let's be real here. Assume all software and hardware is likely spying on you. Now chose which country is least likely to have jurisdiction to make your life miserable if you say something they don't like. I don't live in Russia, and I'm unlikely to visit there, so I'd rather their government were spying on me than the American one, because the USA seems to think it has jurisdiction everywhere, and I am likely to end up visiting there.
Back during the Cuban Missile Crisis President Kennedy put forward the U-2 photos showing the missile sites. He didn't hide behind the whole sources and methods thing.
If someone's not willing to present their evidence, then you probably shouldn't trust them unless they have demonstrated they can be trusted. The three letter agencies have all demonstrated they cannot be trusted.
End of discussion. How many people compiled that SSL code? Millions. How many people actually read it. Apparently not too goddamn many.
Only the State obtains its revenue by coercion. - Murray Rothbard
You dont have to prove that ALL softwate developper in the U.S. is in bed with the cia/nsa to not want to use it, it is about risk. And thus you condemned all country to reinvent the wheel as no software whatsoever is trustable.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
While Rashid is right to challenge the Russophobic line inherent in this story (which draws from and is a repeat of the 'Russiagate' lies meant to distract the public from Hillary Clinton's 2nd presidential campaign loss and unwillingness to take sole credit for her choices which led to and explain that loss and stoke fear which could lead to war with Russia), Rashid misses the point that there is a great reason to reject Kaspersky's software: it's nonfree (user-subjugating, proprietary) software. This is the reason to reject any other nonfree software regardless of that software's purpose, certainly when said software purports to keep one safe from security threats such as malware.
Handing over Kaspersky source code to the US Government is no solution: regardless of whether Kaspersky is malicious this does nothing for the users of the program outside the US Government who deserve software freedom to be respected.
Malware is certainly worth looking out for and worth taking steps to avoid, but trusting one black box to keep one safe from the threats of another is no way to do this job. We should hire programmers to improve free software anti-malware solutions so computer users aren't put in a position of having to blindly trust one proprietor instead of another. Switching masters is not the course to freedom, liberating oneself from masters is.
Digital Citizen
Fine. Don't not sue, charge them criminally. Their only out is to then admit that is an opinion only.
File under 'M' for 'Manic ranting'
Meanwhile .... major US communication network management systems are written by Ukrainian and Russian developers and not a peep.
My cynical thoughts on Kaspersky: I'd rather another government have access to my data than my own.