Slashdot Mirror
Kaspersky Lab To Open Software To Review, Says Nothing To Hide (reuters.com)
Moscow-based Kaspersky Lab will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies. From a report: Kaspersky, which research firm Gartner ranks as one of the world's top cyber security vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials. It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said. "We've nothing to hide," Chairman and CEO Eugene Kaspersky said on Monday. "With these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.
(... except backdoor.c.)
Well they can show the source, but that may not be the source used to build the product.
We dumped Kaspersky a year ago. Way too risky.
Translation: we've finally hidden all the dodgy stuff.
P.S. Forrester says they're shite.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And I don't mean sue them through civil court for damages, I mean actually file real criminal charges against them. Since the government appears to want to keep being mum about why they are saying this about Kaspersky, their only defense against this would then be to go on-record as saying that this is in their opinion only, and not based on any actual findings.
Of course, none of this would necessarily prove that Kaspersky software can actually be trusted, but it would force the US government to shut up about it, unless they are prepared to reveal exactly *why* they believe the company is less than trustworthy (which I don't think they want to do).
File under 'M' for 'Manic ranting'
Can I prove the binary on my system was built from the sources the auditor reviewed?
If not, the review isn't worth very much.
If they do that, then that's absolutely great and reason alone to switch to Kaspersky. Everybody should welcome this.
Closed-source Antivirus and other security products (encryption, voting machines, credit card processing, etc.) tend to be fairly insecure for lack of external auditing. Companies go at great length to claim how careful they are etc., but the sad truth is that without any external auditing they will allow all kinds of blunders, fix vulnerabilities late and secretly, etc. This has been proven again and again.
It's definitely a step in the right direction. To say more about it, we'll need to see the printed results of the audits and who conducted them.
What they show and what they compile and ship, isn't guaranteed to be the same.
Very simple question really - and I am biased towards Kaspersky's side on this argument - what is the assurance that the user-facing builds will be based solely on the reviewed code?
I am all in for transparency, especially in scenarios where there are serious accusations and serious finantial/security/privacy implications. But transparency cannot be dust in the eyes (is this a right use for the idiom?).
The program detects arbitrary files and retrieves samples of them using signatures provided by a company in Russia.
Kaspersky is the one that identified the NSA and CIA tools right.....and Stuxnet
cant have those pesky east europoors discloing their debauchery
The problem with this is that with any antivirus software you have to keep the virus database and AV engine up to date for it to be effective.
So that means at any point in the future "backdoor.c" can be added and deployed automatically, and the users would be no wiser.
Also does this actually prove that the compiled binary blob is without a backdoor????
From my understanding the software "worked as advertised" and pulled back Word DOC and other files for additional investigation. Allegedly those files ended up in the Russian governments hands via that pull back.
So what's an analysis of the source code going to show? That Kapersky sends back Word DOC files? Well... DERP.
The CEO of Kapersky has already defended his software's actions that pulled back code that looked like it was malicious and that they make no apologies for being aggressive in tracking cyber-crime.
More importantly will this release of the source code include their data tables for the signatures and key phrases they detect?
Kaspersky is guilty of "writing code while being Russian".
Giving others the ability to read your source means nothing. The software may well do exactly what it advertises it does. But when it flags certain types of files, and that flag is sent back to Kaspersky Central, and that flag gets seen by a black hat, THAT is the breach of security. The black hats are looking for certain types of files out there, and Kaspersky is their front man, scanning all the systems it can, looking for possible Trojans etc and sending home all the data about who has what on which system at what IP address. Who needs covert operations when the overt ones provide all the information one needs?
Everybody here seems to be falling how they still can't trust them, because they can't build the code. Although that is true, they still do more than Norton and others.
How do you know they are not infiltrated by the Russians? Perhaps they are and they are also infiltrated by the NSA. Do you think the NSA would tell you not to use it?
The only thing I am sure about is that Kasperski is not infiltrated by the NSA as they seem to be making such a fuzz about it.
Indeed we can't be sure about any of the software that we use if we are not able to build it ourselves. Windows. MacOS. Not trustworthy. Things in the cloud? Not trustworthy. So if you condemn Kasperski, don't forget to condemn the rest as well. Because if the NSA has the info, the rest will as well.
So to me Kasperski is the safest as ONLY the Russians can read everything in the worst case. In the same worst case, with the rest, the Russians can read it, together with the Americans.
Don't fight for your country, if your country does not fight for you.
Interesting, that is 2 weeks after Symantec announces the opposite.
http://www.reuters.com/article...
It is hard to say who is right and who is wrong.
(It is not obvious that showing the source to some groups is a good thing, as it may increase the risks for people not included into those groups)
I'm sounding like a broken record posting the same kinds of comments to these Kaspersky stories. The software itself isn't the issue. What does antivirus software do? Reads files, analyzes them for various content / fingerprints, transfers any files it deems "suspicious" files back to the company for "analysis" (default setting, unless disabled by the user), and modifies and deletes files. Same with the system registry. There will be no surprises here - we already know the software has total access to read and write to anything on the system and transfer our files to 3rd parties.
The issue is the dynamic control of the software, not how the software was written. That is in the form of antivirus definitions, which are the fingerprints to identify malicious code, and the scripts used to clean (or simply delete) infected files, which are pushed to the software practically daily. THAT is the issue - who controls the behavior of the software. Let's go worst-case and assume Russia wanted to weaponize Kaspersky antivirus. All they have to do is force the company to identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware. Suddenly millions of Windows machines stop working. How does having access to the source code prevent that?
What we need is antivirus definitions that are controlled by some neutral "open" body that we can actually put some trust in. Currently, I rely on Microsoft's antivirus software. Why? Well, they already hold the keys to my system. They can already screw me over with a bad OS update (and it is harder and harder to disable automatic updates with each new version of Windows). So at least them having the ability to also screw me over with a bad antivirus update doesn't represent an entirely new vector by yet another 3rd party.
Better known as 318230.
Oh, how about Norton or the other US antivirus packages? Will you likewise be leery of US software containing backdoors because they skipped out backdoor.c?
Hey, what about DRM software? It has an even greater control over PCs without their owners' consent than any antivirus software has. When will Denuevo be opened to inspection?
It's also how computer programs were sold before. Clearly you've not thought this through or are just either too young and/or clueless about computes to know what you're talking about.
And you've loathed the GPL which is written specifically so that your goal was a requirement. So clearly you don't want it except in this very VERY specific case.
Their CEO says so - it must therefore be true, right?
How about some security experts try to provide guidelines which would allow them to recommend to any government that they trust Kaspersky? This would be a major advance that would benefit all software vendors including competing antivirus vendors.
The idea is it costs money but this is an investment in infrastructure security so governments or cash-rich computer companies like google. microsoft, apple could fund it perhaps.
So far I have not heard of anything that has not got a potential workaround. Here is a start:
- Full source code and build tools are maintained in multiple repositories maintained by trusted third parties (at least one per country).
- They identify functionality that may be questionable and opt-out by a country or user, such as sending any data at all from user computer to tt heir cloud.
- Source code review by experts, including review of updates
- Builds managed by experts.
- The built exe / dmg / etc. is deployed to a protected deployment server (an app store trusted by your OS) from which end user can download a licensed copy. Apple may wish it to go through the App Store but that would reduce security by adding more people into the chain. The server can also work for free software.
- List of files or patterns for which to search is maintained by a third party database, potentially this could be open to public (up to vendor). This kind of strategy can be used to limit the impact any single country's security agency can have on the activity.
- If phone-home tactics are necessary to beat malware bot swarms then this info could be anonymized and maintained in a third party database to which vendor has access. Potentially a country or organization could pay vendor to invest in this kind of proactive anti-malware activity.
- The above deployment server can also host open source tools for users that will monitor and prove that the currently running binary and processes in fact belong to the guaranteed safe code, build and tool chain above. This might limit the ability of malicious programs to corrupt the executing code on systems that do not have protection or for which such protection has been subverted
I dunno about this one, while I think that it is a gesture of goodwill. I agree with others when they point out the fact, that unless the entire build chain is published, this is basically useless. It would be very easy for a Gov sponsored actor with access to hide their tools in the build chain as opposed to the source.
Their US business is dwindling and this is a direct response.
an awesome antivirus product
only a true idiot could possibly believe that there is value in software that checks for bugs that are already known to be fixed and does nothing about the bugs that are not fixed
What we need is antivirus definitions that are controlled by some neutral "open" body
what we need is for idiots like you to stop using poor quality software
We wouldn't have to constantly deal with this shit if we had just sensibly elected John McAfee President.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
By reporting back telemetry in a method that it can be used by trained "external advisory" Russian agents, it doesn't matter how the software works, it matters what it does and what route it takes.
The Cold War is back. Get used to it.
-- Tigger warning: This post may contain tiggers! --
Unless you can point to a statute wherein we've waived Sovereign Immunity for that exact type of lawsuit, that would violate the 11th Amendment:
https://legal-dictionary.thefreedictionary.com/11th+Amendment
Doesn't matter how many reviewers sign off on this.
The market is never going to accept KL isn't sending all data to Moscow.
Even if they truly aren't.
I feel bad for them.
On a technical level this is pure BS: Kaspersky (and any other AV for that matter) updates include application components like libraries and binaries, so this source code audit is only valid for one particular version of the application which will be outdated days if not hours after being submitted. So, unless Kaspersky submits the source code continuously, this proposal is pretty much meaningless.
This should already be standard for all security software. Should also be demanded for Windows, OSX and other operating systems, at least any part that has access to files, memory, network, keyboard, screen, speaker, mic, auth and security mechanism.
Oh how amazing would it be if Trump got impeached for violating the federal criminal code by slandering a Russian.
Won't happen (likely can't happen).
January should give them enough time to delete what should not be in there.
Why not release the source code for previous versions?
Source code is not enough. You need the build tool chain as well. You need to verify the tools don't inject anything in the binaries, and that the binaries produced from the exposed source are exactly the same as binaries sold or distributed by them. And one step backwards if they use open source tools is to examine the tools and build them. You need to go back to known safe code. Paranoia you say? XcodeGhost was created by hackers to infect apps on the apple app store. They convinced people to download it instead of the slower download from Apple's servers at the time. A nation state actor code do substitutions during legitimate downloads from known sites (and substitute in the checksum on the description pages).
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
the fact that we are CENTRALIZING the technological threat.
With every acquisition of a domestic corporation (not talking just the US, everywhere but china, thailand, indonesia and a few other places pretty much.) the pool of tech companies that might not be compromised decreases. We only really have ~5 major anti-virus companies anymore, and at least 3 of those are US based, with R&D in lots of other 5 eyes countries.
If you start looking at major tech manufacturers they are almost all US/EU based, with manufacturing/assembly in China, Vietnam, Malaysia, Taiwan, Germany or Costa Rica. Even Japan doesn't have much of a presence anymore, barring the recent SoftBank purchase of ARM and Fujitsu's winding down line of SPARC processors.
The threat we are looking at today, thanks to globalization and nations allowing major domestic companies to sell themselves and their entire portfolio of IP and technology to foreign investors is a world where a small group of parties can compromise the tech and security of the *ENTIRE WORLD*. Unless we can back this out, by setting up independent fabs in multiple nations, pull more R&D back into smaller countries to maintain the sovereign integrity of their domestic data, we are all well and truly screwed. Maybe not today, but within a generation or two at latest.
I said it and I will say it again: if the NSA, the FBI and other 3-letter agencies don't like Kaspersky, is a sure sign they are doing something well.
Do they really think people are ignorant enough to fall for this? Okay, actually the U.S. government undoubtedly is, but not the rest of us. Unless these security researchers with access to the source code are going to be the ones compiling it and releasing binaries, this is nothing but a pointless exercise. If they released verifiable builds, where independent security researchers could release a unique signature of the binaries generated from code they had compiled themselves, then *maybe* this would be interesting. Otherwise, it's just business as usual in the world of proprietary software.
How do we get a signed binary that matches to the source. Will Kapersky begin to release source to be compiled by the corporate side.
Then comes the inherent flaw in all antivirus software. The signature definitions. Plus what is reported back upstream. Say a definition is setup to look for DoD sigantures (say metadata or keywords in file types.) Any hits are sent upstream. What upstream does w/ the knowledge is another story, say a one time special update to pull back all "infected files." Then definition file is returned to normal & damage done. Hell if a 3rd party can spoof access they can do the same thing w/o being left holding the bag. AV software can only be trusted to people you trust your future too. Either inhouse or Loyd's of London type shite.
Where it was magnetic tape, floppy drives and indeed downloads. Oh, and printed.
The current trend in updating everything makes software and consumers dangerously and continually reliant on the producer of the program, or at least, it tries to do so. However, one type of software that has always needed this was anti-virus software. As such, anti-virus software and updates are intrinsically linked and have been, even back when BBS's were the closest thing to the Internet that most people had, even if it was a lot tougher to get them then (e.g. be shipped a floppy disk every few months).
As such it is pretty well impossible to expect an effective anti-virus wherein the software cannot be updated or have other provisions that allow for them to put anything and everything they want into the system at the time of their choosing - and then quickly cover it up, if so desired.
Anti-virus software takes on a special level of trust second only to the basic software that runs the computer on the lowest level, namely the firmware and OS. No amount of auditing will ever get past that, especially when it requires updates on a daily or even hourly basis to make sure it remains effective against threats that can arise with a few hours' notice (or less).
They could easily satisfy a lot of people by open sourcing their software, with reproducible builds, and just limit it by license so you can see but not copy. Reproducible builds would satisfy most people that they were getting what they were supposed to be getting.
Though the kicker is that antivirus by design is effectively remote controlled by the malware definitions database it downloads, and the autosampling of suspect files to be sent back to the mothership could easily get out of control (like what appears to be the alleged case here). Though Windows Defender basically does autosampling as well, so how far do you trust Microsoft to protect their sample database (considering their bug DB got hacked, not that trustable)...
If the open source nature shows the upload capability must publicly log the uploads to the user and can't hide what it did, that might appease some more people, if the malware definitions were also in an open format with closed licensing.
Sorta Snort-esqe lincense-wise?
identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware.
So, working as intended?
Hitler gave Putin a high-five while they both kicked my dog!!!!!1!!
No, in fact the continued lack of software freedom for users is precisely the reason users should reject Kaspersky's, Microsoft's, Norton's, McAfee's, and so many other nonfree anti-malware software.
"Closed source" is the tell here—that term is a reference to the open source development methodology. And here we see why free software is better than open source: open source enthusiasts are fine with proprietary software so long as some people get to "review" the source code. In this case that set of people are described as "a broad cross-section of computer security experts and government officials"—an unknown set of people who, for all we know, are not interested in looking out for security issues users would find problematic, or bugs that might harm users. Such an arrangement is no better than what Kaspersky is offering now; any proprietor can offer an NDA-laden "review" that does not respect a users' software freedom. It's no accident that the open source group takes this view. Open source was defined to reject software freedom in its pitch to businesses. Ultimately we find time after time that open source enthusiasts are ready to abandon their own development methodology if it would make a business happier to work in secrecy. Software freedom activists, on the other hand, won't settle for less than software freedom: the freedom to run, inspect, share, and modify published computer software—users included.
In fact what we're seeing in your post is precisely what a later revision of the aforementioned essay talks about. In "Why Open Source Misses the Point of Free Software" we can find:
Digital Citizen
I bet they did a quick bikini wax before they lifted their skirt.
Africa is big. America, Europe and many other areas would fit on top of this continent. There is a map that shows this. I found this when I was doing a check on Niger. Niger is considered a Western African Country, but seems like it's more in the center. Our four Army men were killed there two weeks back, and no, they were not driving around in a jungle like some of the media is telling you. Niger is dry dry dry. More like Arizona.
At breakfast this morning I head a ding and smelled something that had finished cooking. Kaspersky is toast.