Kaspersky Lab Sues Over Second Federal Ban

Cybersecurity firm Kaspersky Lab has filed a lawsuit targeting the second of two federal bans on its wares. The latest suit goes after language in a defense law explicitly blocking the purchase of Kaspersky products. An earlier suit targets a Homeland Security directive doing the same. From a report: The bigger picture: With the White House reluctant to institute additional sanctions on Russia, White House Cyber Czar Rob Joyce pointed to Kaspersky as an example of the Trump administration taking Russia seriously. While Kaspersky isn't alleged to be involved in the election hacks of 2016, it's hard not to see the actions against the firm in the context of deteriorated relations with Moscow, as part of a growing spat between the two countries.

Being a russian company.

[jellomizer]

We will need more proof then just "Trust Us" we are trying to protect you. In the mist of a lot of findings of Hacking from the Russian government, melding with the elections, often with electronic means. With being a part of the government that like to keep companies on a tight leash.

Kaspersky may actually being doing good things without opening the door to the Russian government, and may actually be better protected with their products from Russian hacking. However we will need solid proof on this, otherwise we will just use our countries tools.

Re:Being a russian company.

[Opportunist]

What I wonder is why the selective treatment of one single company. If you think Russia is spying on you, block everything coming from there. It's not like Kaspersky is the only Russian security company (far from it) or the only Russian IT company (even further) or even that there isn't a LOT of OSS coming from that general area.

Take a look down Github. Sometimes it feels like every other library for compression or security has a Russian name next to it.

What's so special about Kaspersky?

Re:Being a russian company.

[TWX]

Ok, please name the other Russian security companies whose products phone-home even if for legitimate purposes. Especially ones with as much market penetration as Kaspersky.

Kaspersky the man might well not intend to cooperate with nefarious interests of his government, but Kaspersky the man might not be able to stop said government from covertly penetrating Kaspersky the company either through actual hacking techniques or through social-engineering of company employees.

Re:Being a russian company.

AV programs have even deeper level access to a system than the "Administrator" account.

All AV programs have automatic updates.

Anyone who can sign updates for your AV program can push arbitrary code to a computer and it will be trusted with that better-than-admin access to your system.

Kaspersky has known ties to Russian state security services. You do the math.

  Not that that matters. There are no property rights in Russia's illiberal government. If someone at Kaspersky does not play ball the owners will end up in jail, dead, or living in exile (Probably in the UK) and the company will come under control of some (other) oligarch.

Re:Being a russian company.

[mnemotronic]

We will need...

Posted with Andriod, hence the speeling otters.

Re:Being a russian company.

[Opportunist]

Funny enough you're even right, most of the Russian internet companies mostly serve Russia. It's actually pretty interesting how there is nearly for every US company a Russian counterpart. Google - Yandex. GMX - mail.ru. Kickstarter - Planeta. Bet you never heard about them.

Which is a shame, they're quite useful. But I don't see anyone banning the use of mail.ru or Yandex, which would actually make more sense than banning K if you ask me...

Re:Being a russian company.

I can dig up more "proof" of US based companies colluding with the US government than any "proof" Kaspersky has colluded with the .ru government. For example; Google Chrome no longer trusts Symantec SSL/TLS certs. RSA getting caught red-handed sneaking in rigged PRNGs and "extended random" features into crypto products for millions of dollars. The infamous "NSA_KEY" in the Windows source code.

No. The burden of proof is on the US, not Kaspersky. But keep using our countries tools, that sounds like a well informed decision.

Re:Being a russian company.

[MightyMartian]

I agree. Even if Kaspersky's software isn't tainted in some way, the fact is that it could be co-opted. I find most AV software fairly troublesome, but using Kaspersky on any of my systems just seems like inviting an unpleasant outcome. And I certainly understand why the US government wants nothing to do with it at all.

Re:Being a russian company.

[Bryansix]

The same NSA employees who turned off Kaspersky protection to install a keygen tool. https://www.theguardian.com/te...

Re:Being a russian company.

[Bryansix]

Your definition of "known ties" also means Google has "known ties" to Russia, China, Iran, etc. That just means they abide by legal requests in court cases.

Re:Being a russian company.

[MightyMartian]

It's worse than admin access, it's low-level kernel access that sits underneath file systems and other services. Basically, AV is a rootkit, so if you install Kaspersky, it's very likely you are handing not just admin keys to the Russians, but pretty much core system functionality. Everything is naked before AV software, since that is AV software's fundamental purpose.

Re:Being a russian company.

[Opportunist]

Well, it is pretty much a requirement if you want your AV kit to be able to do its job. You do hand your security the key to the building, too, so they can go check whether there is a burglar inside, don't you?

Rights

[midifarm]

Why do they assume they have a right to supply the US Government with anything? THe Us Government as a "company" can choose products for company-wide use or non use. Some companies required Blackberries at one time. Now they're no longer allowed. Apparently the critics are right, they don't like free enterprise!

Re:Rights

[mark-t]

They don't... I think, but with the US government being outspoken about the matter, it has leaked into other organizations and companies specifically choosing to avoid their software.

They are, to the best of my knowledge, not trying to sue them for boycotting their software (which they should be allowed to do anyways), they are actually suing them for defamation.

And willful defamation is actually against the law.

And it's worth noting that while the government might be immune to civil prosecution, they aren't immune to criminal prosecution.

Nonetheless, all the US government has to do to dodge this is present whatever evidence that they had which would give them just cause to believe that Kaspersky was objectively untrustworthy. They might just say that such reasons involve national security and they can't divulge that information in court, but if a reason can't be objectively scrutinized, then by definition it can't be objective in the first place, so all of the normal penalties for defamation would still apply (which, presumably, the government is prepared to pay if they actually want to keep their reasons secret).

Re:Rights

[bobbied]

I'm shocked that this government action gets any negative airtime on Slashdot.. After all, folks come out of the woodwork here to support the right of the states to enforce Net Neutrality rules on ISP's doing business with them. How's this all that different? It's a head scratcher for sure..

Personally, I've always maintained the "government", be it state, local or federal, has the right to buy or not buy what they deem fit for purpose and impose any rules they like on the sellers who stand in line to collect government money. The only issue we need concern ourselves with is graft and corruption in the process... Which isn't what Kaspersky is alleging here is it?

Re:Rights

[Opportunist]

The US government as a company belongs to you. Well, not totally, but at least you're kinda like a shareholder. And as such, you're entitled to them using the funds you provide them with well. Them simply declaring that they will only buy from this provider or never buy from that provider requires oversight, or it becomes a cesspool of bribery and corruption.

There has to be oversight because, well, would you, as a shareholder, want your CEO to buy his supplies from a company that just happens to be owned by his spouse, no matter whether there are better offers? Or would you want your CEO to avoid buying a best offer because he doesn't like the vendor for some personal reason?

Don't get me wrong, if there is a good reason not to buy there, I'm glad they don't. And it's sad that the vendor has to second guess their actual motivation instead of you, the owner of the company, doing it.

That's actually your job. Selecting one of the two offered applicants for some management position every other year isn't enough!

Re:Rights

[swb]

I've worked with some companies associated with the power generation industry and already heard one story about 100% of hard drives being swapped out to eliminate Kaspersky in one organization.

Re:Rights

[MickyTheIdiot]

Until Trump gets congress to monkey with the law, truth (and even belief of what the truth is) is a defense against libel and slander.

So good luck with that.

Re:Rights

[mark-t]

Truth is defense against slander, as is having cause to simply believe that something is objectively truthful. If you cannot divulge what that reason is, however, then by definition it is not objective

Re:Rights

[bobbied]

Nope, there is no law here.. There is an executive order that says that government purchasers may not approve P.O.s that include this product and any bids that include this product will not be considered. So we are good...

Re:Rights

[techno-vampire]

Laws that single out a single person or entity are unconstitutional.

I take it, then, that you never bothered to pay attention in your civics class. If you had, you would have known about private bills. Granted, they're rarely used now, but they're perfectly legal under the US Constitution.

Re:Rights

[Aighearach]

In their defense, they do have a right to a hearing.

One hearing. At which their lawsuit gets tossed. :)

Re:Rights

[Aighearach]

The problem with leaning on "belief" is that you would have to prove what your belief actually is, you can't just assert anything and insist on it. The other side will have experts that dig into the details of it and try to prove, based on your other words or actions, that you probably believed something else. And they'll do that by talking not about you, but about what a mythical Reasonable Person would believe.

If this was two companies, that might matter. But it doesn't matter if this company had some measly low-level rights violated, because the Constitution gives the Executive branch of government wide discretion over national security and foreign policy. Even if you don't believe the Government about their reasons for the action, that doesn't matter; the reasons given are clearly reasonable, and clearly within Executive discretion. The Executive can slander or libel any foreign entity they want, and even if it harms their Rights that will be OK because their Rights have to be balanced against the Executive responsibility for national security and foreign policy. The Government always wins that fight against a foreign entity, by definition!

Nothing about defamation would even come up; you can only sue the US Government where there is a federal law that permits you to do it. And that mostly means, when your Rights have been violated. So you don't sue the Government for defamation, and you don't even get to use that word in Court against them.

The question is not about "objective" anything, either, but about if the Government's reasons seem reasonable on their face. The Court doesn't have authority to second-guess the Executive's judgment, they're not going to go there. It will be like a Habeas hearing where they just look at what is alleged, and does the alleged conduct reasonably fit the charges filed? So here that would be, Did the government give a reason that seems to relate to national security? If everything the Government alleges were true, would the Government have the right to refuse to purchase a company's product? See, you don't even get to the real analysis, because Kaspersky won't be able to write a court filing that pushes a reasonable theory as to why they have a right to have their product purchased by the US government. That is not an enumerated right. But if it was, then it would be weighed against the Executive foreign policy prerogatives and the government would only have to prove that the government didn't trust Kaspersky. That's it, that's all they have to show; not even prove! They simply have to assert that yes, they promise they relied on some sort of information that involved national security or foreign policy.

Re:Rights

[Bryansix]

Actually, the US Government has a fiduciary responsibility to taxpayers to buy the most cost effective product available for a given problem. Cost effecting meaning a balance of usability for the purpose intended and hard cost.

**Busts out laughing at the absurdity of believing they will ever do this. **

Re:Rights

[dryeo]

The last sentence in your link shows some limitations in private bills,

In the United States Constitution, the concept of a private law, when applied punitively, is covered by the term bill of attainder. Such punitive private laws are therefore unconstitutional.[7]

So passing a private law to punish Kaspersky is unconstitutional.

Re:Rights

[techno-vampire]

I see your point, and agree with it. However, private bills are, in general, permitted by the Constitution, which is what I was pointing out. And, I'm not sure if a private bill forbidding any agency of the US Federal Government to buy software from Kaspersky would be considered a bill of attainder because it doesn't prevent private companies, individuals or state/local governments from using their products; that would be for the courts to decide and would almost certainly end up with the Supremes. (Now that you mention it, I'd not be surprised if it were overturned as a bill of attainder, but the question would have to be properly litigated.)

Re: Rights

[nnull]

Meanwhile, their network is still wide open. I know because I have been to many and have worked on machine installs. That is the big joke. Ban Kaspersky, but everything is still unsecure. Hell, Kaspersky was probably making things more secure considering what it is now.

Our security has dropped to Chinese levels in many industries. I used to laugh when I was younger how I could access Chinese machines and mess with them, now Iâ(TM)m saddened at how many machines I can access in across the US.

Re: Rights

[swb]

I didn't say it was an improvement per se, but the word supposedly has been coming from DHS to rip out Kaspersky.

Re:Kinda like China

[jellomizer]

I am not a Trump supporter. However this is common across nearly all countries even the US previously.

Discovery is going to be a bitch for 'em

To win this, Kaspersky Labs is going to submit to discovery, which means the government will get to pour through their books, emails, and everything else.

It's likely Kaspersky will fold once that starts if they have any underhanded ties to the Russian government.

Re:Discovery is going to be a bitch for 'em

[bobbied]

Not really.

All the government need argue is that they *could* be compromised by their corporate owners at any time and that this represents an undue risk to computer system security. Given that's a logical possibility argument, the burden of proof rests on Kaspersky to prove their product cannot be so modified.

Given the code base is controlled by Russian interests, I think Kaspersky has a hard uphill climb on this one.

Re:Discovery is going to be a bitch for 'em

[green1]

The government hasn't said that it "Could" be compromised, they've stated repeatedly that it IS compromised. That's a very different thing.

Kaspersky isn't suing them because they aren't buying the software, there'd be no grounds for that. They're suing because the government is making claims about the software that Kaspersky says are false. The burden of proof in such cases always rests on the party making the claim, and that's the US government.

Re:Discovery is going to be a bitch for 'em

[bobbied]

I beg to differ.. News reporting clearly indicates that more than just the US Government is reporting that this product has been used in the past for nefarious purposes... This action by the US Government then is perfectly understandable.

https://www.thetimes.co.uk/article/antivirus-firm-kaspersky-lab-ruled-by-russian-spies-2ghtw38ql

Re:Discovery is going to be a bitch for 'em

[green1]

Your article (which is paywalled so impossible to read) doesn't do anything to change the facts. The first few lines (which aren't paywalled) imply that the British government's security service did not feel that Kaspersky was enough of a risk to advise Brittons against using it, and states that an anonymous source said that Kaspersky wasn't trustworthy.

So far the US government has never put forward even a single piece of evidence to the contrary, and the part of your article that I could read did not either.

Kaspersky obviously doesn't think there is any evidence or they wouldn't be suing as their odds of success would be near zero.

So it's up to the courts to decide if any evidence actually exists to support the claims of the US government here. Basically this is going to force the US government to either "put up or shut up". Which is what they should have done all along. The government never should have made claims if they weren't willing to back them up with evidence.

Re:Discovery is going to be a bitch for 'em

[bobbied]

So you agree that the US government isn't the only one saying Kaspersky is risky to use, independently others have made the same claims, yet Kaspersky hasn't taken legal action on those other claims. The US government hasn't moved to prevent Kaspersky from doing commercial business within the USA or even advised citizens to not use their products as other countries have. So, What's this lawsuit about at this point?

Re:Discovery is going to be a bitch for 'em

[green1]

I agree that a single anonymous source that was quoted by a journalist stated Kaspersky was a threat. That doesn't make them so.

As for taking those others to court? why bother? If your legal team wastes their time with every single person that says something bad about you you'll go broke litigating them all. It's better to stick to the ones that you can prove actually harm your business. And this one with the US government makes that easy.

If the US government really believes Kaspersky to be a threat, fine, show the evidence. Anything else is just libel.

Re:Discovery is going to be a bitch for 'em

[MightyMartian]

National security trumps all of this. The US Government doesn't have to show its hand, it just has to say "we believe Kaspersky can be used by a foreign actor to compromise government systems", and pretty much that is that.

Re:Discovery is going to be a bitch for 'em

[bobbied]

BUT Kaspersky is NOT suing for liable, so this whole line of reasoning you are engaged in is moot, legally speaking.

Re:Discovery is going to be a bitch for 'em

[MightyMartian]

How is a national government banning AV software from its computers due to fears that it may be compromised authoritarian?

Re:Discovery is going to be a bitch for 'em

[green1]

"national security trumps all of this" is the part that only applies in authoritarian dictatorships.

In free societies "national security" doesn't trump facts and reason.

Re:Discovery is going to be a bitch for 'em

[MightyMartian]

In free societies, governments are still free to tell citizens of potential security risks and to choose what AV software they'll install. This has nothing to do with freedom, and everything to do with prudence.

Re:Discovery is going to be a bitch for 'em

[green1]

They are free to tell citizens of security risks, but so far they refuse to do so.

Seems far more likely that the only "security risk" is Kaspersky's refusal to implement NSA back doors.

In free societies governments don't hide their motives, if they find something like this, they do the prudent thing and show their evidence. The fact they refuse to do so implies that it would make them look worse than it would make Kaspersky look. Why do you think that is?

This is going to send a strong message

[Opportunist]

If you don't let us get a backdoor into your products, you won't work in this country again.

Re:This is going to send a strong message

[houghi]

It indeed says a lot about others.

With Kaspersky I know that at least the US does not have a backdoor. Because worst case scenario, all others have backdoors from everybody. So the Ruskies will read your things, no matter what.

But Windows 10 is ok?

[Stan92057]

lol why the hell is our government even allowing windows 10 on any and all government computers windows is 100% data mining everything that's done on a win 10 PC and that's OK though? in fact any software is suspect.

Constitutionality of a Bill Targeting a Co

[wfrazee2004]

Completely aside from the political stuff of whether Kapersky is giving things to the FSB and is therefore an elevated risk - I wonder aloud about the constitutionality of a law targeting specific companies.

Re:Constitutionality of a Bill Targeting a Co

[bobbied]

It's not a law or even a regulation... It's an Executive Branch policy based on security recommendations that they won't allow any government agency buy this product any more.

And it MUST be banned

[Ivan+Stepaniuk]

It is not acceptable for a sovereign government that any company, especially a foreign one, has the ability to render the whole country's computer infrastructure to a halt with the flick of a switch on their automatic update servers.

The system is already broken. Using closed source software puts any country sovereignty at stake. Your software providers' "red buttons" are bigger and faster than Trump's.

Re:And it MUST be banned

[DNS-and-BIND]

It's just bizarre to see educated people jump wholeheartedly into the "blame the dirty foreigners" narrative.

Re:And it MUST be banned

[Bryansix]

Slow your roll buddy. This isn't going to be the year of Linux on the desktop.

Re:Or ... lack of trust ...

[bobbied]

Betting is one thing, knowing and thinking totally different...

Do you think we bust out the sanctions trying to get China and the Russians to use our stuff in their government controlled hardware and software?

I don't think so. Maybe you've heard of something?

Re:Or ... lack of trust ...

[green1]

The Chinese and Russians aren't telling everyone there are security problems with US software. The US on the other hand is doing exactly that.

There's a big difference between not buying something, and telling everyone else that the product is compromised and that they shouldn't buy it either.

Kaspersky is not suing for the former, they're suing for the latter.

If the US government has proof, this should be no problem, but this is Kaspersky saying "put up, or shut up!". Of course actual truth and evidence aren't exactly valued in the USA.

Re:Or ... lack of trust ...

[green1]

This isn't about the right to force the US government to buy their products, this is about the US government slandering them at every chance they get.

This is Kaspersky saying "put up, or shut up". The US government can choose their suppliers, but under US law neither they, nor anyone else, can make false injurious statements about others.

My advice to you? Get over it and quit whining.

Of course the rule of law, truth, and facts, have never meant all that much in the USA.

Re:Or ... lack of trust ...

[bobbied]

The government isn't preventing you from buying as many copies of Kaspersky software as you like. They are free to hawk their wares in the USA all they like. The only thing the government has said is that the GOVERNMENT won't buy any more copies. Now both the Executive branch and Congress have the same policy... But they are not keeping Kaspersky from doing business here, only saying the government won't buy their stuff anymore.

How's that require proof of anything? They are not telling you that YOU cannot buy Kaspersky's stuff, only that the government isn't going to.

Re:Or ... lack of trust ...

[green1]

If they just said "We aren't buying it" that would be fine,
But they are saying "Kaspersky software is a security threat" that's a provable claim, that they should have proof before saying.

I can decide not to buy from you, that's fine, but if I tell everyone that you're doing something specific that's unethical, I better have proof to back it up, otherwise it's slander or libel.

Re:so much bullshit

[DRJlaw]

What "election hacks of 2016" are we talking about? I mean, besides the Democrats screeching about this stuff 24/7 trying to push their alternate explanation of how the worst candidate in history lost to the 2nd worst.

The ones that a named DHS unit head says occurred. It's amazing how forgetful you trolls can be.

Re:Or ... lack of trust ...

[bobbied]

Then they need to sue for liable or slander, not for some cooked up constitutional charge. If Kaspersky was suing the government for lying about their product what you say might make sense, but as it stands, your legal theory isn't what Kaspersky is using.

Banning Kaspersky was just a distraction

[Big+Bipper]

Why worry about what optional and replaceable or removable software might be doing when the hardware has a massive back door built in right from the factory. The existence of the Intel Management Engine ( and AMD's equivalent ) make worrying about Kaspersky ( or the far worse Win 10 ) the equivalent of bandaging a small scrape on an accident victim's hand while ignoring their sucking chest wound.

Cyber Czar?

[Convector]

Should we really be using the title "czar" for someone who's supposed to be addressing potential hacking by _Russia_? I realize that term is commonly used as an informal title for these kind of positions (though I never really understood how that got started). But it seems to be particularly absurd here.

Re:Or ... lack of trust ...

[green1]

Funny, the government isn't recommending against EVERY OTHER piece of anti-virus software out there.

Re:Or ... lack of trust ...

[MightyMartian]

They're saying it because it is. There are troubling links between the company and the kremlin, it's written by a company in Russia, and as part of its functionality it gains low-level access to any system on which it is installed, so yes, it's reasonable to assume that it has been compromised. And the NSA and the other three letter agencies don't have to show up in court with public evidence, they can basically show up, tell the judge "this cannot be disclosed in open court because it involves national security", and that's it. Kaspersky is wasting its time, and yes, it means its reputation is shredded, but seriously, who in their right mind would install it on their systems anymore anyways?

Re:Or ... lack of trust ...

[green1]

So in other words, as in all authoritarian regimes, secrecy trumps truth.

Glad I don't live in the USA!

It's far more likely that the reason they refuse to disclose the supposed vulnerability is that the only vulnerability is the refusal to implement the NSA's requested back doors.

The rest of the world is watching all this with interest, and so far, the evidence points to Kaspersky being among the most trustworthy products on the market. So far they're the only ones who seem to have told the US government to pound sand, and so far, nobody has found any evidence of any other nefarious goings on.

Remember, "the NSA doesn't want you to use it" in most cases is a glowing recommendation to use it (short of someone giving some proof of actual issues)

Re:Or ... lack of trust ...

[MightyMartian]

Oh fuck off. You're still free to buy Kaspersky if you want, though I personally would think you were an idiot for doing so. I wouldn't let any Russian AV software within a mile of my computers.

Re:Or ... lack of trust ...

[green1]

I'd far rather let secure russian AV software on my computer than any software with a US connection. At least I know it isn't tainted by the NSA.

The world is waking up, US IT products are no longer a first choice, but now a last resort, not to be trusted. It's well known that the American government has no concept of rights or privacy, and that all US vendors are compromised by default. Precautions must be taken if using US products.

Re:so much bullshit

[DRJlaw]

I'm not a troll, you are.

I'm not a troll, you are, first and foremost.

Did you even read what you posted.

Traditionally one uses a question mark for a question, and yes, I did.

Successfully penetrating a state election network and hacking an election aren't related.

Yes they are. For instance, both your descriptions use "election."

There's no evidence - and not even the allegation - that they changed anything.

"She did not say whether the Russian government altered any state voting registration databases or compromised actual votes, saying she is not allowed to talk publicly about classified information."

You have access to classified information? Or you merely assume that there wasn't because you desperately want there not to be? Absence of public evidence is not evidence of absence.

Sorry, Hillary lost because she was a terrible candidate who didn't bother to campaign in key states.

So sorry, you denied the existence of election hacks and have been proven wrong. I never claimed that election hacks, which definitely did happen, changed the outcome of the election.

Troll.

Re:so much bullshit

[Trailer+Trash]

I don't have to have access to classified information (and wouldn't tell you if I did - think about that). Were there any evidence that Russians actually changed election results it would be on the news 24/7. It's the same way that I know the TSA has never actually caught a real terrorist.

Re:so much bullshit

[DRJlaw]

I don't have to have access to classified information (and wouldn't tell you if I did - think about that).

Oh, I've thought about it. Not impressed.

Were there any evidence that Russians actually changed election results it would be on the news 24/7.

But it it was classified then they wouldn't have access to it or even know that it exists. Think about that.

Nevermind that the "election hacks of 2016" are not limited to Russians directly accessing and changing votes in an outcome altering manner, and have been on the news 24/7.

Funny how Russians directly accessing voter registration systems is not related to elections, but Republicans lose their shit about poor and colored people registering to vote, allegedly being bussed in from other states to vote, and everything else that doesn't involve tampering with the voting machines themselves. Seems a bit inconsistent to the rest of us.