Slashdot Mirror
Kaspersky Lab To Open Software To Review, Says Nothing To Hide (reuters.com)
Moscow-based Kaspersky Lab will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies. From a report: Kaspersky, which research firm Gartner ranks as one of the world's top cyber security vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials. It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said. "We've nothing to hide," Chairman and CEO Eugene Kaspersky said on Monday. "With these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.
(... except backdoor.c.)
Well they can show the source, but that may not be the source used to build the product.
Translation: we've finally hidden all the dodgy stuff.
P.S. Forrester says they're shite.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And I don't mean sue them through civil court for damages, I mean actually file real criminal charges against them. Since the government appears to want to keep being mum about why they are saying this about Kaspersky, their only defense against this would then be to go on-record as saying that this is in their opinion only, and not based on any actual findings.
Of course, none of this would necessarily prove that Kaspersky software can actually be trusted, but it would force the US government to shut up about it, unless they are prepared to reveal exactly *why* they believe the company is less than trustworthy (which I don't think they want to do).
File under 'M' for 'Manic ranting'
If they do that, then that's absolutely great and reason alone to switch to Kaspersky. Everybody should welcome this.
Closed-source Antivirus and other security products (encryption, voting machines, credit card processing, etc.) tend to be fairly insecure for lack of external auditing. Companies go at great length to claim how careful they are etc., but the sad truth is that without any external auditing they will allow all kinds of blunders, fix vulnerabilities late and secretly, etc. This has been proven again and again.
It's definitely a step in the right direction. To say more about it, we'll need to see the printed results of the audits and who conducted them.
Very simple question really - and I am biased towards Kaspersky's side on this argument - what is the assurance that the user-facing builds will be based solely on the reviewed code?
I am all in for transparency, especially in scenarios where there are serious accusations and serious finantial/security/privacy implications. But transparency cannot be dust in the eyes (is this a right use for the idiom?).
The program detects arbitrary files and retrieves samples of them using signatures provided by a company in Russia.
Kaspersky is the one that identified the NSA and CIA tools right.....and Stuxnet
cant have those pesky east europoors discloing their debauchery
The problem with this is that with any antivirus software you have to keep the virus database and AV engine up to date for it to be effective.
So that means at any point in the future "backdoor.c" can be added and deployed automatically, and the users would be no wiser.
Also does this actually prove that the compiled binary blob is without a backdoor????
From my understanding the software "worked as advertised" and pulled back Word DOC and other files for additional investigation. Allegedly those files ended up in the Russian governments hands via that pull back.
So what's an analysis of the source code going to show? That Kapersky sends back Word DOC files? Well... DERP.
The CEO of Kapersky has already defended his software's actions that pulled back code that looked like it was malicious and that they make no apologies for being aggressive in tracking cyber-crime.
More importantly will this release of the source code include their data tables for the signatures and key phrases they detect?
Kaspersky is guilty of "writing code while being Russian".
Giving others the ability to read your source means nothing. The software may well do exactly what it advertises it does. But when it flags certain types of files, and that flag is sent back to Kaspersky Central, and that flag gets seen by a black hat, THAT is the breach of security. The black hats are looking for certain types of files out there, and Kaspersky is their front man, scanning all the systems it can, looking for possible Trojans etc and sending home all the data about who has what on which system at what IP address. Who needs covert operations when the overt ones provide all the information one needs?
Everybody here seems to be falling how they still can't trust them, because they can't build the code. Although that is true, they still do more than Norton and others.
How do you know they are not infiltrated by the Russians? Perhaps they are and they are also infiltrated by the NSA. Do you think the NSA would tell you not to use it?
The only thing I am sure about is that Kasperski is not infiltrated by the NSA as they seem to be making such a fuzz about it.
Indeed we can't be sure about any of the software that we use if we are not able to build it ourselves. Windows. MacOS. Not trustworthy. Things in the cloud? Not trustworthy. So if you condemn Kasperski, don't forget to condemn the rest as well. Because if the NSA has the info, the rest will as well.
So to me Kasperski is the safest as ONLY the Russians can read everything in the worst case. In the same worst case, with the rest, the Russians can read it, together with the Americans.
Don't fight for your country, if your country does not fight for you.
I'm sounding like a broken record posting the same kinds of comments to these Kaspersky stories. The software itself isn't the issue. What does antivirus software do? Reads files, analyzes them for various content / fingerprints, transfers any files it deems "suspicious" files back to the company for "analysis" (default setting, unless disabled by the user), and modifies and deletes files. Same with the system registry. There will be no surprises here - we already know the software has total access to read and write to anything on the system and transfer our files to 3rd parties.
The issue is the dynamic control of the software, not how the software was written. That is in the form of antivirus definitions, which are the fingerprints to identify malicious code, and the scripts used to clean (or simply delete) infected files, which are pushed to the software practically daily. THAT is the issue - who controls the behavior of the software. Let's go worst-case and assume Russia wanted to weaponize Kaspersky antivirus. All they have to do is force the company to identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware. Suddenly millions of Windows machines stop working. How does having access to the source code prevent that?
What we need is antivirus definitions that are controlled by some neutral "open" body that we can actually put some trust in. Currently, I rely on Microsoft's antivirus software. Why? Well, they already hold the keys to my system. They can already screw me over with a bad OS update (and it is harder and harder to disable automatic updates with each new version of Windows). So at least them having the ability to also screw me over with a bad antivirus update doesn't represent an entirely new vector by yet another 3rd party.
Better known as 318230.
When will Denuevo be opened to inspection?
With every single piece of crippleware they publish, I bet there are more assembly level audits going on of that software than any other closed-source soft.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Their CEO says so - it must therefore be true, right?
How about some security experts try to provide guidelines which would allow them to recommend to any government that they trust Kaspersky? This would be a major advance that would benefit all software vendors including competing antivirus vendors.
The idea is it costs money but this is an investment in infrastructure security so governments or cash-rich computer companies like google. microsoft, apple could fund it perhaps.
So far I have not heard of anything that has not got a potential workaround. Here is a start:
- Full source code and build tools are maintained in multiple repositories maintained by trusted third parties (at least one per country).
- They identify functionality that may be questionable and opt-out by a country or user, such as sending any data at all from user computer to tt heir cloud.
- Source code review by experts, including review of updates
- Builds managed by experts.
- The built exe / dmg / etc. is deployed to a protected deployment server (an app store trusted by your OS) from which end user can download a licensed copy. Apple may wish it to go through the App Store but that would reduce security by adding more people into the chain. The server can also work for free software.
- List of files or patterns for which to search is maintained by a third party database, potentially this could be open to public (up to vendor). This kind of strategy can be used to limit the impact any single country's security agency can have on the activity.
- If phone-home tactics are necessary to beat malware bot swarms then this info could be anonymized and maintained in a third party database to which vendor has access. Potentially a country or organization could pay vendor to invest in this kind of proactive anti-malware activity.
- The above deployment server can also host open source tools for users that will monitor and prove that the currently running binary and processes in fact belong to the guaranteed safe code, build and tool chain above. This might limit the ability of malicious programs to corrupt the executing code on systems that do not have protection or for which such protection has been subverted
Their US business is dwindling and this is a direct response.
Do you mean back when software was distributed on mylar punched tape, or are you talking the really old sofware distributed on wired diode arrays?
Nationalism liberated the African continent from any of the cultural traditions that had made the African peoples humane and civilized in their past. Those cultural traditions predate the times when the European explorers arrived to corrupt the African peoples, btw.
When the Europeans withdrew, they left the borders drawn on the land that they had imposed there. This left the traditional social/political structures of the African peoples sliced up by artificial political boundaries, which is a BIG part of the problem now as things exist on that continent.
We wouldn't have to constantly deal with this shit if we had just sensibly elected John McAfee President.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
By reporting back telemetry in a method that it can be used by trained "external advisory" Russian agents, it doesn't matter how the software works, it matters what it does and what route it takes.
The Cold War is back. Get used to it.
-- Tigger warning: This post may contain tiggers! --
Unless you can point to a statute wherein we've waived Sovereign Immunity for that exact type of lawsuit, that would violate the 11th Amendment:
https://legal-dictionary.thefreedictionary.com/11th+Amendment
Doesn't matter how many reviewers sign off on this.
The market is never going to accept KL isn't sending all data to Moscow.
Even if they truly aren't.
I feel bad for them.
On a technical level this is pure BS: Kaspersky (and any other AV for that matter) updates include application components like libraries and binaries, so this source code audit is only valid for one particular version of the application which will be outdated days if not hours after being submitted. So, unless Kaspersky submits the source code continuously, this proposal is pretty much meaningless.
Oh how amazing would it be if Trump got impeached for violating the federal criminal code by slandering a Russian.
Won't happen (likely can't happen).
Source code is not enough. You need the build tool chain as well. You need to verify the tools don't inject anything in the binaries, and that the binaries produced from the exposed source are exactly the same as binaries sold or distributed by them. And one step backwards if they use open source tools is to examine the tools and build them. You need to go back to known safe code. Paranoia you say? XcodeGhost was created by hackers to infect apps on the apple app store. They convinced people to download it instead of the slower download from Apple's servers at the time. A nation state actor code do substitutions during legitimate downloads from known sites (and substitute in the checksum on the description pages).
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Do they really think people are ignorant enough to fall for this? Okay, actually the U.S. government undoubtedly is, but not the rest of us. Unless these security researchers with access to the source code are going to be the ones compiling it and releasing binaries, this is nothing but a pointless exercise. If they released verifiable builds, where independent security researchers could release a unique signature of the binaries generated from code they had compiled themselves, then *maybe* this would be interesting. Otherwise, it's just business as usual in the world of proprietary software.
It should be standard for *all* software, period. That's what the Open Source movement is all about.
People need to start thinking of proprietary software just like they do non-peer-reviewed scientific research. We need to build a web of trust.
There cannot be 'primary sources' on archive.org, because the sources regarding pre-colonial African civilization aren't housed on the Internet.
For cripes sake. There is a LOT of history that predates the creation of ARPANET.
And the point I was making regarding the existence of 'human and civilized pre-colonial African culture' isn't negated by warlords corrupted by the European colonialists. You're referring to small-time operators who pandered to the Europeans.
Stick to your white power websites if you want to circulate racist garbage.
So you're not talking about the much hearalded 'old days when software was free' in the 1960s. Because back then there were a few hundred computer installations of any size in the whole world, and the software was 'free' because the hardware it ran on cost many millions of dollars per system, and the hardware clock time to run software was metered in CPU seconds. The software was 'free' because there was hardly any of it, and it made sense for it to be free.
identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware.
So, working as intended?
Hitler gave Putin a high-five while they both kicked my dog!!!!!1!!
What primary sources do you suggest? My knowledge of African history is weak - I'd love to learn more.
Fwiw, archive.org has tons of old pre- internet books scanned and available.
No, in fact the continued lack of software freedom for users is precisely the reason users should reject Kaspersky's, Microsoft's, Norton's, McAfee's, and so many other nonfree anti-malware software.
"Closed source" is the tell here—that term is a reference to the open source development methodology. And here we see why free software is better than open source: open source enthusiasts are fine with proprietary software so long as some people get to "review" the source code. In this case that set of people are described as "a broad cross-section of computer security experts and government officials"—an unknown set of people who, for all we know, are not interested in looking out for security issues users would find problematic, or bugs that might harm users. Such an arrangement is no better than what Kaspersky is offering now; any proprietor can offer an NDA-laden "review" that does not respect a users' software freedom. It's no accident that the open source group takes this view. Open source was defined to reject software freedom in its pitch to businesses. Ultimately we find time after time that open source enthusiasts are ready to abandon their own development methodology if it would make a business happier to work in secrecy. Software freedom activists, on the other hand, won't settle for less than software freedom: the freedom to run, inspect, share, and modify published computer software—users included.
In fact what we're seeing in your post is precisely what a later revision of the aforementioned essay talks about. In "Why Open Source Misses the Point of Free Software" we can find:
Digital Citizen
Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year,
after the backdoors have been removed
it said.
I bet they did a quick bikini wax before they lifted their skirt.