Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky Lab To Open Software To Review, Says Nothing To Hide (reuters.com)

Posted by msmash on from the tussle-continues dept.

Moscow-based Kaspersky Lab will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies. From a report: Kaspersky, which research firm Gartner ranks as one of the world's top cyber security vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials. It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said. "We've nothing to hide," Chairman and CEO Eugene Kaspersky said on Monday. "With these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.

12 of 152 comments (clear)

  1. Here you go: our full source code! by Anonymous Coward · · Score: 3, Insightful

    (... except backdoor.c.)

    1. Re:Here you go: our full source code! by Anonymous Coward · · Score: 3, Insightful

      You know...it would seem like an obvious first step would be to move the company the fuck out of Russia if they wanted to start generating trust of their product again.

      As if USA is trustyworthy.

    2. Re:Here you go: our full source code! by Riceballsan · · Score: 4, Insightful

      Honestly I can't say that isn't really the factor, name the country that doesn't have a known history of the government in bed with serious malware threats. Moving to the birthplace of most of the major state sponsored malware threats isn't exactly a huge step up. Stuxnet, flame etc... Not to mention the at least somewhat shady appearences of truecrypts end etc... I'm not saying the russia concerns aren't certainly plausible, the kremlin certainly is not above strong arming anyone into doing anything. But it isn't like we can't just act like all other countries are perfect little angels that would never stoop so low as to pressure a company to compromise security in their own interests.

    3. Re: Here you go: our full source code! by Opportunist · · Score: 4, Insightful

      You are aware that a server can only collect data that the client sends, yes?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Here you go: our full source code! by Anonymous Coward · · Score: 2, Insightful

      You'll never find the back door in the source code, because the back door isn't source code.

      Hint: Kaspersky is in Russia, and Russian spies probably have a copy of Kaspersky's SSL cert and code signing keys. Add those together, and you've got MITM trojan updates that look 100% legit ... anytime Russia feels like it, on a user-by-user basis.

  2. oy shut it down by Anonymous Coward · · Score: 3, Insightful

    Kaspersky is the one that identified the NSA and CIA tools right.....and Stuxnet
    cant have those pesky east europoors discloing their debauchery

    1. Re:oy shut it down by Bing+Tsher+E · · Score: 3, Insightful

      Correct, Kaspersky is the only software of this type that we can even partially trust. All the raving on Capital Hill about Kaspersky is because it poses a severe threat to the US Government sponsored malware and spyware. All the US companies are properly heeled at their master's feet. Those foreign 'coyote' software companies must be hunted to extinction!!

  3. Re:Source submitted by Anonymous Coward · · Score: 2, Insightful

    I'm not making any kind of statement as to whether or not Kaspersky has done anything they're accused of, but what could they possibly do to prove to you that the accusations against them are false with statements like that? Let's be realistic here and recognize that fully open sourcing the product isn't a viable option.

    At least in the US, people are supposed to be innocent until proven guilty, but we always seem ready to convict companies like Kaspersky in the Court of Public Opinion based on little more than a wild accusation completely devoid of evidence. I'd like to at least see some actual evidence be presented that independent experts could test.

  4. Oblig by Anonymous Coward · · Score: 5, Insightful

    Kaspersky is guilty of "writing code while being Russian".

  5. Pointless by Dan+East · · Score: 3, Insightful

    I'm sounding like a broken record posting the same kinds of comments to these Kaspersky stories. The software itself isn't the issue. What does antivirus software do? Reads files, analyzes them for various content / fingerprints, transfers any files it deems "suspicious" files back to the company for "analysis" (default setting, unless disabled by the user), and modifies and deletes files. Same with the system registry. There will be no surprises here - we already know the software has total access to read and write to anything on the system and transfer our files to 3rd parties.

    The issue is the dynamic control of the software, not how the software was written. That is in the form of antivirus definitions, which are the fingerprints to identify malicious code, and the scripts used to clean (or simply delete) infected files, which are pushed to the software practically daily. THAT is the issue - who controls the behavior of the software. Let's go worst-case and assume Russia wanted to weaponize Kaspersky antivirus. All they have to do is force the company to identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware. Suddenly millions of Windows machines stop working. How does having access to the source code prevent that?

    What we need is antivirus definitions that are controlled by some neutral "open" body that we can actually put some trust in. Currently, I rely on Microsoft's antivirus software. Why? Well, they already hold the keys to my system. They can already screw me over with a bad OS update (and it is harder and harder to disable automatic updates with each new version of Windows). So at least them having the ability to also screw me over with a bad antivirus update doesn't represent an entirely new vector by yet another 3rd party.

    --
    Better known as 318230.
  6. Re:Source submitted by Opportunist · · Score: 3, Insightful

    Build it and compare the result to the published binary?

    Say, is it me or is it kinda odd that the accused has to prove his innocence? Last time that was due practice people got a cremation without prior demise.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:If they really wanted vindication.... by Archangel+Michael · · Score: 3, Insightful

    The previous administration didn't care about facts either. Or the administration before that, or the one before that.

    Quit pretending that this is unprecedented.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.