US Government Can't Get Controversial Kaspersky Lab Software Off Its Networks

The law says American agencies must eliminate the use of Kaspersky Lab software by October. But U.S. officials say that's impossible as the security suite is embedded too deep in our infrastructure, The Daily Beast reported Wednesday. From a report: Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware -- and nobody is certain how to get rid of it. "It's messy, and it's going to take way longer than a year," said one U.S. official. "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of "any hardware, software, or services developed or provided, in whole or in part," by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed "Kaspersky-branded" products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky's presence in federal networks in the wake of Russia's 2016 election interference campaign.

AI Solution?

With the rapid advancements in AI, it doesn't seem that this problem should be too hard to resolve.

Re:AI Solution?

Al is looking into it. (He prefers Alphonse, BTW) He said the Kapersky shit is like Norton and is a bitch to get off of the machines.

It'd be best to just trash the machines and start with all new ones.

Alphonse knows a guy who knows a guy who can get really cheap machines. His name is Wong Wei Wang. His company is based in Beijing and is called (English translation) Friendly Not Government Controlled Computer Company. The Trump administration has already OKay'd it. Eric is such a great guy according to Wong.

Re:AI Solution?

AI on blockchain in the cloud.

Re:AI Solution?

[CaptainDork]

... on a quantum computer.

Re:AI Solution?

This is why I always make my SOE image, then install AV afterwards... easy to roll to new platforms. The fact government does not do this should equal sacking for every IT worker.

Re:AI Solution?

[Harvey+Manfrenjenson]

With the rapid advancements in AI, it doesn't seem that this problem should be too hard to resolve.

Wasn't that the plot of Terminator 3?

Re:AI Solution?

[JustAnotherOldGuy]

... on a quantum computer.

A 3D-printed quantum computer.

Re:AI Solution?

They need AI because their NI (natural intelligence) only knows how to blame Russians having no idea of what the software is.

Re:AI Solution?

[gweihir]

What "rapid advancement"? No such thing is happening. It is still the same dumb automation that was available 30 years ago, just a lot faster and cheaper. It is not suitable to solve the malware problem as that is not a question of speed.

Re:AI Solution?

[yuriklastalov]

Let's rephrase:

With the rapid advancements in AI jargon and AI-related rhetoric by Silicon Valley startups in pursuit lucrative venture capital and it doesn't seem that this problem should be too hard to resolve.

Prior art

[Ol+Olsoc]

We must read the story of Helen of Troy, and the Trojan horse. Most bolshy applicable.

Re:Prior art

[khandom08]

It's Trojan horses all the way down....

Re:Prior art

Yeah, but the NSA hat priort art on "fucking up the enemys network", how dare someone infringe on that...

Re:Prior art

Helen was from Sparta.

Re:Prior art

Sure, but at the bottom is the NSA, and they likely already have a patch they could deploy, except that they'd lose their access as well.

Re:Prior art

[Ol+Olsoc]

Yeah, but the NSA hat priort art on "fucking up the enemys network", how dare someone infringe on that...

It depends on which side you are fighting for Ivan. My enemies are my targets, and I am happy to destroy them. But alllowing my enemy's software on my computers? Nyet!

I knew that Kaspersky was a Kremlin tool long before the US Guvmint idiots ever thought about it. Whch is why i vet what is on my computer and networks.

Re:Prior art

[Ol+Olsoc]

Helen was from Sparta.

Either Helen of troy, Helen of Sparta, or Helen is appropriate. https://en.wikipedia.org/wiki/...

Re:Prior art

And creimer is a dumb fuck failing over and over again! creimer channel is losing subscribers and now gets 10 views a day with a total with 50 published videos! That's 0.2 view a day by video! Wow creimer! what a passive income retirement strategy!

Now, talk about butthurt creimer! :)

MODDOWN! ; creimer karma whoring sock puppet post!

CREIMER' SUBMISSIONS UPDATE:
Note also that creimer is trying to regain karma by getting his submissions published as articles on /. so make sure to go to:
https://slashdot.org/~__aaclcg...
https://slashdot.org/~IDrinkFa...
https://slashdot.org/~_sharp'r...
https://slashdot.org/~crreimer
https://slashdot.org/~cdreimer
https://slashdot.org/~criss69
https://slashdot.org/~Anonymou...
https://slashdot.org/~FatCashe...
https://slashdot.org/~ILoveFat...
https://slashdot.org/~IHateFat...
https://slashdot.org/~IAteFatC...
https://slashdot.org/~ITapeFat...
https://slashdot.org/~IApeFatC...
https://slashdot.org/~IPrayFat...
https://slashdot.org/~FatCashe...
and mod down his submissions as well. The great thing is that you don't even need mod points to mod down a submission, just click on the "minus" icon!

Yes, believe it or not, creimer owns all the above sock puppet accounts. It is a mystery why Slashdot management tolerates it!

creimer wrote:

I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the number ? to move cdreimer's karma from neutral to excellent without ever being exposed to the capricious mods. Mmmmmwwwwahahahahahahaha!

https://slashdot.org/comments....

Danger, Will Robinson, Danger! Creimy is posting more than 2 posts a day. Hurry! mod down otherwise /. will go to hell again!

Note: you can mod down even if already at -1 to lower karma and to prevent lost /. users to accidentally mod up.

creimer wrote:

All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. Won't be long before you start making "coffee money" each month.

https://slashdot.org/comments....

C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."

But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!

Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.

Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...

With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we ar

Re:Prior art

The butthurt is strong with this one.

Re:Prior art

I am sure it isn't as strong as when your uncle took you to the forest.

There you are shit posting with yet another fake account, you revenue stream hogging disgusting fat sexist tube of lard, Christopher Dale Reimer!

You can be sure I will be watching this fake account too. I know this is you because you told me you were working on your freepass 11 file server and you are so dumb that you can't even masquerade yourself properly.

Now, I told you I was out of meds last week and you didn't even care to contact me you lazy fucker.

How many times do I have to express the emergency of the situation??????

The python click script you wrote for my pheromone revenue stream web site suddenly stopped to work!!!!!!

You fucking incompetent python script writer!!!

When it works, I get 4000+ clicks a day on my pheromone revenue stream web site but only 5 or 6 without it!!!!

Now, it seems like you dont care and that you have abandoned me you heartless fucking pig!

Bonus:
Here is a story that creimer told me when convincing me what a hard life he had:

The tree was him and the tree knot was his butt hole!

So, his uncle packed his fat ass with lard and with his cock! Not that it makes much of a difference but anyway, there it is!

Signed:
Ethell, The girl that used to love you and now hates you, burn in hell where you belong you sexist pig!

Ban All Russians From Contributing to Windows

If you can't trust Russians, how many of them are working for M$?

How many are working for other proprietary applications free or commercial for Windows?

Re:Ban All Russians From Contributing to Windows

[KiloByte]

But the question is, who is a Russian? I propose defining that anyone with more than one grandparent of Russian blood is to be considered a Russian. For personnel for high-security duties, no ancestors since 1750 may be Russian.

All Russians are white, too. You'd better avoid the Chinese as well, as both of these countries are economically hostile against the US. Thus, no whites or asians may be allowed for any trusted jobs. Also, as neither Russia nor China recognizes genders which don't exist in nature, you can avoid all such spies by disallowing males and females who identify as their birth gender. See, and the rightards claim that tech companies partake in racial and gender discrimination for no rational reason!

Re:Ban All Russians From Contributing to Windows

Fuck it then, just ban ALL people from contributing to proprietary software like Windows. Demand open source hardware and software.

Oh but we needs Windows for games!

No, you don't. What you're a slave of is DirectX.

Re:Ban All Russians From Contributing to Windows

But the question is, who is a Russian?

I'd say we all are, at this point - at least until we get Trump out of office.

Re:Ban All Russians From Contributing to Windows

[Aighearach]

Same as other racists, your problem is that you asked "who" instead of "what."

Instead of trying to classify the people, instead the useful question is: What is Russia? And what therefore amounts to Russian control of a non-Russian network resource?

It may turn out to be an issue between nation-states, not an issue between individuals at all. And it may actually be very easy to tell US Government property from Russian Government property!

Re:Ban All Russians From Contributing to Windows

[KiloByte]

Same as other racists, your problem is that you asked "who" instead of "what."

Excuse me, please tell me how could I write my post in a tone even more mocking?

Re: Ban All Russians From Contributing to Windows

[bestweasel]

It was definitely of interest during the (first) Cold War if you had relatives or ancestors the other side of the Iron Curtain and you applied for a government or other potentially sensitive job. A relative of mine lost his job as a pilot because his brother was living in the West.

Family members are still used by ruthless regimes to put pressure on those otherwise out of reach so despite your exaggeration, it's a valid concern.

Re:Ban All Russians From Contributing to Windows

[Nivag064]

You were mocking???

Disclaimer:
Englishmen never tell the truth! I should know, as I am an Englishman.

Re:Ban All Russians From Contributing to Windows

Outsource it all to India !

Re:Ban All Russians From Contributing to Windows

Nice straw house you built there. Too bad the it's susceptible to flamethrowers.

APAV

as the security suite is embedded too deep in our infrastructure

So, it's an advanced persistent anti-virus?

Karma is a bitch, eh?

~20 years of NSA infiltrating network components, who would have expect the other side to do the same...

ALLEGED interference campaign

There still has not been any proof or even shady evidence offered that Russia changed a single ballot or tampered with a single voting machine, or had agents at a single polling place to interfere with the election process..

Exercising the right of free speech in order to influence the way people think is called "politics," not "interfering with an election."

Foreign interests have "interfered" with our elections since the birth of the nation. It's nothing new. Get over yourselves.

Re:ALLEGED interference campaign

exactly... and if everyone is so sensitive to influence.. why is the DNC not being investigated for paying $700k to Christopher Steele for that "fake" dossier based off intel given by another Mi6 asset, who just happened to work for the Clinton foundation

https://disobedientmedia.com/2018/04/all-russiagate-roads-lead-to-london-as-evidence-emerges-of-joseph-mifsuds-links-to-uk-intelligence/

Re:ALLEGED interference campaign

She wasn't supposed to lose, and all of this sloppy "muh Russia" bullshit was intended to be in service of furthering deep state control of the country and increase domestic surveillance in order to "protect the democratic process from the forces of evil", i.e., Russia, under the Clinton II administration.

The entire Russian hacking "scandal" is the establishment trying to pivot the narrative to from the planned "Russia is the center of the 'Axis of Evil 2.0' and must be destroyed in service of global neo-liberalism" to Trump being a Russian stooge and an illegitimate president.

i could fix it in an hour

[FudRucker]

wipe the drives of EVERYTHING!!!

install Linux, problem solved, tell all the users they need to brush up on their computer skills and quit surfing porn for 6 months, that should give them time to learn their way around the basics of using Linux for a desktop workstation operating system, libreoffice or openoffice whatever the user chooses,

Re:i could fix it in an hour

[Actually,+I+do+RTFA]

, libreoffice or openoffice whatever the user chooses,

Step 1 in using Linux in an environment beyond your personal use: Make all those decisions for the users.

Step 2: Recognize that making 22 million people take even a 1 hour class (let alone "6 month") is a cost of more than half a billion dollars. Therefore, anything you can do to make it easier to learn is worth doing.

Re:i could fix it in an hour

[sarren1901]

Are trying to some how say those same 22 million people aren't wasting at least an hour or more a week on unofficial breaks and chat sessions? Just think of the inefficiencies!!! If the environment was setup correctly, with limited but specific programs needed to get the job done, then most people would do fine on most any operating system. This is especially true if you spend most of your time in a web browser or specific application for most of your work. At my work MS office, outlook and IE are pretty much the only tools we use outside of a two legacy applications that run on SCO (shudders) hardware, in which case we ssh into those. Ironic it is SCO but at least we got some linux running at work.

Re:i could fix it in an hour

[Bert64]

For most use cases, a change to linux will be a minor adjustment to the UI - if they even notice at all, and depending on which UI they were using previously, and which UI you choose to run on top of linux.

There are also significant differences between windows xp/7/8/10, as well as various applications they might have been using, switching to a newer version of windows and msoffice can be as big of a change for many users as switching to linux.

Most of those users are probably already using linux in one form or another (chromeos, android, embedded).

Most users don't actually care what they're running, and will use whatever they're given. They will complain about change - whatever the change might be, and after a while they'll get used to it and get on with their jobs.

Re:i could fix it in an hour

[Actually,+I+do+RTFA]

Oh, a conversion is possible, for sure. But the OP was saying "just have them learn Linux, then choose an office suite, and then..." The right way to approach it is to produce one highly unified official distro, with all those decisions made. Hide most of the changes underneath a easy-to-use GUI. Get help staff ready, etc.

Although, your point about "already running Linux" is disingenuous. While ChromeOS, Android and embedded systems may all run Linux, none of them feel like linux. Most Android users cannot access the filesystem, ChromeOS is essentially booting directly into Chrome and SSHing into an embedded system has probably been 0 peoples way of learning Linux (highly technically people moving to Linux aside.)

Re:i could fix it in an hour

Let me know how that MS Access database, very secific Excel sheets, and homegrown w32 software written with OCX controls works in Linux.

I am personally all for Linux, but you know that what I previously described is the dirty underbelly of just about every government office.

Re:i could fix it in an hour

[nasch]

Are trying to some how say those same 22 million people aren't wasting at least an hour or more a week on unofficial breaks and chat sessions?

And they would just stop doing that if they were switched to Linux? If it were so easy to get rid of inefficiencies, it would have been done already.

The question to ask..

[lionchild]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

Re:The question to ask..

[Sean+Clifford]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

For federal IT folks the penalty is public execution.

Re:The question to ask..

[pak9rabid]

Nothing, you just apply for an extension and it's typically granted.

Re:The question to ask..

[fahrbot-bot]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

You have to manage a network using McAfee HBSS.

Re:The question to ask..

Shaddap Trumpie faggot, you're going to prison either way traitor.

Nice to see you Ivan, but really, you should stay on the other side of the aisle. We don't like your kind around here.

Re:The question to ask..

[flink]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

You have to manage a network using McAfee HBSS.

You joke, but that is, in fact, the apporved DoD solution:
https://www.disa.mil/cybersecu...

All proprietary software should be banned

this includes Windows.

Re: All proprietary software should be banned

Well, on my Win 7 home machine, Win 10's tentacles show the same persistence as the subject of this article.

Russians embedded too deep

We can't uninstall a program.

Stupid Idiots

Sadly the morons who put it there in the first place are getting their fat cat pensions. Why they were using this in the first place is beyond me. You would have to have been pretty dull to not have known its true purpose considering who founded it. But it people make all kinds of stupid decisions to save a buck here or there, Lenovo equipment, cough.

Turtles all the way down

U.S. officials say that's impossible as the security suite is embedded too deep in our infrastructure,

So is Microsoft Windows, Microsoft Office, etc.

Replacement?

[cogeek]

Wondering if they'll replace it with TrendMicro, because that would be so much more secure....

Re:Replacement?

[khandom08]

They'll probably go with something like av360.

Re: Replacement?

I hear CleanMyPC gets good results.

Re:Replacement?

Wondering if they'll replace it with TrendMicro, because that would be so much more secure....

Whats wrong with trendmicro? It's served me better then norton and macafee ever has. and has never slowed my computer to a crawl or taken out the os when trying to uninstall it.

Re:Replacement?

> It's served me better then norton and macafee ever has. and has never slowed my computer to a crawl

Comparing it to probably the two worst anti-virus programs in the world doesn't mean that it's good, only that it isn't as bad.

I need another drink

wipe the drives of EVERYTHING!!!

install Linux, problem solved,

Unless of course there's a rootkit in firmware somewhere, and wiping does nothing to solve the problem. APT cases are many.

Re:I need another drink

[Woldscum]

Yep. Ask Sony music CDs.

https://en.wikipedia.org/wiki/...

Re:I need another drink

https://pastebin.com/z6Gb6VfJ

Re:I need another drink

[Bert64]

Even if there's a firmware backdoor, it depends on how it interacts with the running OS...
If it's totally independent then it can still do its thing, but then it's somewhat limited in what exactly it can do. If it's aware of the OS then it can be far more effective, but is also likely to break if the OS is significantly changed.

If this had been an actual emergency

[Sloppy]

The government is lucky this Kaspersky scare is bullshit, then. If this had been an actual emergency (e.g. the software were doing something bad, whether by design or due to some random bug that you can't fix because it's proprietary), sounds like everything would be totally fucked.

Re:If this had been an actual emergency

[Narcocide]

Yes, unfortunately the surest sign that Kapersky refused to act on behalf of the Russian government (and ours, apparently) is that this is even being considered in the first place.

Re:If this had been an actual emergency

[Aighearach]

It is a known fact that you don't have the information needed to determine it is "bullshit."

And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

Since knowledge of the evidence for the concern is classified, you don't know about it; and even if you had a security clearance, we know your job doesn't involve knowledge of these particulars because then you wouldn't be allowed to tell us. So by definition, you can't know it is bullshit; you either have reasons to believe it is a problem, because there is public information about what the danger is in losing control of a network, or you don't fucking know.

I'll give you a hint: If your opinions about network security are based on your domestic politics, you're a fucking idiot.

Re:If this had been an actual emergency

Actually, the entire backstory of this whole farse is very widely known in cybersecurity circles, including the so-called "classified" facts (which are widely disseminated outside the US where said "classification" of otherwise widely known information is not relevant).

Here are the crib notes and timeline, without dates:

- Equation group leaks
- Equation Group software widely attributed to NSA in cybersecurity circles
- Kaspersky researchers tie Equation Group to creators of both stuxnet and Flame via forensic analysis (note they DO NOT call out NSA here, but anyone with half a brain can put 2 and 2 together)
- US military and/or NSA (not totally known as it is "classified") become involved in middle east anti-terrorism espionage using malware deployed on public wifi networks
- Kaspersky publishes research on said malware, again without attributing it to anyone, but making it public
- US military and/or NSA (not totally known as it is "classified") have to pull out of their espionage and invoke a burn order since they are exposed

To make it even shorter - Kaspersky did their job. Because their job exposed US government activities, the US government got pissed.

Re:If this had been an actual emergency

The government's opinions about network security are based on domestic politics

Re:If this had been an actual emergency

It is a known fact that you don't have the information needed to determine it is "bullshit."

Precisely right. Just because the US Government says that Kaspersky Lab Software is a risk validates nothing about there being an actual risk. Of course, that by definition makes the evaluation bullshit.

And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

If it's such an emergency and the whole network is fuck, then the US Government position is bullshit for so loudly declaring a problem that leaves over a year of time to be exploited.

Since knowledge of the evidence for the concern is classified, you don't know about it; and even if you had a security clearance, we know your job doesn't involve knowledge of these particulars because then you wouldn't be allowed to tell us. So by definition, you can't know it is bullshit; you either have reasons to believe it is a problem, because there is public information about what the danger is in losing control of a network, or you don't fucking know.

National Security in this context is bullshit when the cat is already out of the bag. If the problem is really that severe, then the US government should revert to other, secure means and Congress should be paying for the switch over. Since none of this is happening, It's business as usual. Business as usual says the US is doing great which is either (1) bullshit disinformation for politicos, (2) bullshit disinformation to hide the cyber security clusterfuck, or (3) possibly an actual accurate assessment of the situation within their assessment abilities. I imagine it's a combination of the 3, which makes it bullshit.

I'll give you a hint: If your opinions about network security are based on your domestic politics, you're a fucking idiot.

If you listen to Aighearach's arguments on what to believe, are you any better?

Re:If this had been an actual emergency

This. Pretty obvious to anyone even remotely near the security consultancy field.
Combine that with all these accusations without anyone ever pointing out what and how the software is doing anything bad.

Re:If this had been an actual emergency

Here's another hint. The NSA would have been testing this shit for years, so a "recent" analysis theory is flawed. Therefore it is bullshit.

Re:If this had been an actual emergency

100% spot on.

Re:If this had been an actual emergency

How about the fact that Russia was using Kaspersky software to scour the world for US secrets??
This is either through negligence or malice, either way it shouldn't matter to any other nation state, especially the US.

Re:If this had been an actual emergency

[rtb61]

Kind of stupid to ban and attack foreign software because of course that makes a giant target of all US software. The US government is basically broadcasting a public message that US software can not be trusted because they will put back doors in it. This because they failed to prove anything wrong with Kaspersky software, just that they expect the Russian government to do what the US government does with security letters.

M$ Windows anal probe 10, with it's unique to you updates, oh yeah, one security letter and that update is truly unique, straight up firmware hacking unique and just so you know, that goes all the way back to stale piss - XP. I trust Kaspersky software over M$ software. Still FOSS is the safest way to go, operating system and all applications.

Still the hacking bullshit though and yet the only actual charge, thirteen trolls and a Russian click bait company.

Re:If this had been an actual emergency

[gweihir]

Indeed. Fortunately, it still looks like Kaspersky's collusion with the Russian government is about as real as the WMDs in Irak. My personal take is still that Kaspersky is likely the only AV vendor that flat-out refused to work for the either NSA and that the US government is pissed at that.

Re:If this had been an actual emergency

Ah, yes: "The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. ... The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries."

Does the NSA also ban its analysts from using Windows given they also exploit it? Or is it fair game because they aren't sure if foreign adversaries do the same? Is the problem merely that the software is insecure and governments aren't bothering to patch it? Or is it specifically that it has ties to the Russian government?

See, I have no problem with the notion that they can't trust Kaspersky's software because it's repeatedly proven to be unsafe. But if that's the standard, then they really should avoid all the software they're currently exploiting at a minimum. Of course, this will give their adversaries a heads up to what software is insecure and hence to avoid, and Russia/China have gotten access to the source of most software that's critical to them precisely to avoid the obvious backdoors so such would potentially severely hamper how the NSA does business. Yet, it's the obvious thing that must be done if they don't want all their secrets taken.

tl;dr The NSA's inability to keep a secret was the core of the problem.

Re:If this had been an actual emergency

Kapersky's biggest problem is that they have such a Russian sounding name. Can't they re-brand the product and name something like "Eagle Anti-Virus" or "Liberty Anti-Virus"? I think that might be the easiest way to solve this problem.

Re:If this had been an actual emergency

[Daralantan]

Crying Eagle Anti Virus!

Re:If this had been an actual emergency

Correct horse battery staple?

Virus or Anti-Virus

[coolmoose25]

If you can't get your Anti-Virus software off of your equipment, is it really anti-virus, or has it just become another virus?

Re:Virus or Anti-Virus

If you can't get your Anti-Virus software off of your equipment, is it really anti-virus, or has it just become another virus?

Look a little deeper.

Your black box is Windows.

So too are the rest of the closed source applications which ship with or are made for Windows.

Once you've solved the black box OS problem, you've solved the black box anti-virus problem.

Re:Virus or Anti-Virus

Because firmware isn't a thing?

Smart network cards don't exist?

Re:Virus or Anti-Virus

Citation needed: Kaspersky being on non-Windows devices. If they're talking about Windows Embedded, uninstall it.

Re:Virus or Anti-Virus

From TFA, Kaspersky's website lists dozens of technology partners that have baked Kaspersky code into their products. Not all of them produce Windows-based appliances.

Re: Virus or Anti-Virus

"code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware"

Re:Virus or Anti-Virus

So because we can't get rid of firmware we should actively try to download and run as many infected applications and operating systems as we can?

Re:Virus or Anti-Virus

[gweihir]

Alternatively, they just have terminally incompetent and grossly underfunded IT people. That strikes me as a massively bigger risk than the alleged (but not really credible) risks from Kaspersky.

Huh?

[rsilvergun]

bullshit. Do a week of training with one of their competitors, uninstall the old stuff, install the new stuff, call it a day. None of this is difficult. These are software programs designed to take care of security for end users.

Re:Huh?

[AvitarX]

And if the issue is a piece of security software embedded in the equipment?

It sounds like it's a budgeting issue more than a capability one. They can't do it within their existing budget, not that they can't do it at all.

Re:Huh?

[KiloByte]

You know that, and so do the admins of govt networks. But without the whining, their departments won't get that hundred million bucks of extra budget.

Re:Huh?

[dyfet]

I think you missed the part about "embedded in routers", etc...

Re:Huh?

Kaspersky launched their router OS 2 years ago. Are they saying that during the time we were looking at Kaspersky as a threat we purchased their devices?

Re:Huh?

[jbmartin6]

The article wasn't at all clear about what "code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware" means

Re:Huh?

bullshit. Do a week of training with one of their competitors, uninstall the old stuff, install the new stuff, call it a day. None of this is difficult. These are software programs designed to take care of security for end users.

Since it isn't difficult, would you mind helping me out a bit with doing this?

I have here a Linksys AC3200, which has Kaspersky 2010 embedded in it.
It's on the latest firmware which still has Kaspersky in it, and it's digitally signed firmware, so I can't find an easy way to replace it with something 3rd party.

Can you instruct me what and where to click to just uninstall it?
As you say, replacing the router isn't an option with only $0 to spend on a new one.

While this may be venturing off-topic, I also have here a Linksys WRT160N.
This piece of crap has Norton AV bundled in it, which is even worse!
Is it just as easy to uninstall Norton on this thing without replacing it?
To be fair, I'm no longer using this one as the AC3200 was the actual replacement, although it certainly wasn't free.

I'm only familiar with uninstalling software from Windows ("Programs" control panel), OS X (just drag it to the trash), and Debian (apt-get remove)
I've never had to decrypt firmware, unpack it, remove custom compiled software to replace it with other custom compiled software, then figure out a way to re-encrypt it so the router thinks it is legit and unchanged.

Thank you for your time!

Re:Huh?

[Ichijo]

And if the issue is a piece of security software embedded in the equipment?

Then you use the "training" charge code to order new equipment because you've just been educated to demand open source hardware from now on!

Re: Huh?

Juniper has a Kaspersky subscription in their routers, or at least they did a decade ago.

Re:Huh?

Yes, smartass, you reflash new firmware on the router. There's a page for it and everything. You don't have to decrypt or recompile shit. You're just too stupid to know how. YOU don't get to have your security fixed for free. The gov, however isn't staffed with utter buffoons such as yoruself. They can fix this stuff using only labor, but you'll either need to pay someone who does know, replace with a new unit, or pay to educate yourself. That's YOUR options for being a dumbass. Now kindly fuck off.

Re: Huh?

Try looking for a DD-WRT or Tomato build for your router. It completely replaces the existing firmware, bypassing the signing, and is open source and feature packed. I don't ever run a router without it nowadays unless there is no build for a particular model.

Re:Huh?

> Yes, smartass, you reflash new firmware on the router.

He said he had the newest firmware, and good luck getting a 3rd party firmware with it removed if he needs a signed firmware to actually flash it.

If it wasn't government, there would be a solution

[xxxJonBoyxxx]

>> Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with

In the real world, I'd go to Kaspersky's biggest competitors and say, "if you replace these guys on a one-to-one basis (at no charge this year), we'll give you their support contracts in future years."

I smell BS

[sheph]

A government agency with no slack in their budget? Inability to remove third party software because it's embedded too deeply? This has all the look and feel of another tax payer shakedown.

Cut The Hardline!

No, Cut The Hardline!

Way worse

[Impy+the+Impiuos+Imp]

"We thought it was just the White House computers crawling with stuff helpful to Putin but it's worse than we thought!"

Re: If it wasn't government, there would be a solu

Getting that proposal approved, authoring the RFP, doing even a basic appraisal of responding vendors all costs money that is not in the budget.

U.S. government: Years of insufficient management.

[Futurepower(R)]

From the summary: "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

I hope the U.S. will eventually have a healthy government.

The parent comment: "~20 years of NSA infiltrating network components, who would have expected the other side to do the same...?" (Slightly edited.)

"National Security is the chief cause of national insecurity." - Celine's First Law.

Life in the U.S. is rapidly degrading.

Re: If it wasn't government, there would be a solu

Government officers are forbidden from making promises like that, Congress will void the contract and put them in jail.

Nuclear Option

[meerling]

LoL, it's called "uninstall".
Of course, if you're still afraid they left some kind of spyware, then just Nuke & Pave.

Tossing the hardware because you can't figure out how to use an uninstall something is only a solution for a rich moron that's a complete computer illiterate.
Sure a bunch of the higher ups more or less fit that category, but it's not like they're the ones that'll be doing any of it in the first place.

For that matter, even if they buy new hardware, it'll still have to be configured and have the appropriate software installed on it, so it's no more work for IT than doing a nuke & pave. Besides, it'll take more time and a lot more money to get that unneeded replacement hardware.

However, if they do go full moron and buy new hardware, please send the old ones to me. :)

I don't see the problem

[rsilvergun]

it's a bloody national security issue. Get the money for new hardware out of the Defense budget. There's no shortage of money there.

Re:I don't see the problem

Trouble is: unfunded mandate.

You must do all this work.

We aren't paying for it.

Kaspersky ain't shit ...

[CaptainDork]

... compared to removing Avast.

Re:Kaspersky ain't shit ...

I don't remember having too much of an issue when I uninstalled Avast in 2016 to replace it with Kaspersky. It wasn't free of pain but it wasn't as bad as some others, like fucking McAfee.

I'd still be running Avast if it wasn't for the slow and steady ramp up of the fear mongering. Telling me stupid bullshit like I'm unprotected and at risk because I'm not running their stupid VPN. It went from a one time thing to literally a daily popup telling me I needed to be running this or that. There was also a slow, steady creep of wanting to take more and more control over my system, and it was getting to the point where it would uninstall something and then inform me as an afterthought.

Bottom line, fuck Avast. Marketing should never dictate the path of a security product, and their marketers seem to be running shit over there.

Re:Kaspersky ain't shit ...

[ebvwfbw]

I never had any trouble with it. I've de-installed, installed a number of time. No problem.

Some others like McAffee, Norton, some others hold onto your system for dear life. Like a tick. Seems like they are a virus.

Re:Kaspersky ain't shit ...

[CaptainDork]

That's you.

How about some empathy for lay people?

Avast has a file that has to be downloaded; saved to Desktop; and executed in Safe Mode .

For those you mention, they are a bitch. I use Revo Uninstaller with deep remove.

Re:Kaspersky ain't shit ...

[ebvwfbw]

If you're on slashdot, I'm going to presume you're not a lay person.

Maybe I'm expecting too much? Is slashdot so easy even a cave man could find it?

Re:Kaspersky ain't shit ...

[CaptainDork]

So it's your position that lay persons don't use any of this shit?

Re:Kaspersky ain't shit ...

[ebvwfbw]

So it's your position that lay persons don't use any of this shit?

You need to be more definitive in what you're asking about. Slashdot, anti-virus programs or removing them?
Doesn't matter I suppose. Sure, there are lay people on slashdot. Maybe you're one of them, who knows. You're not on facebook and you're not on twitter. Slashdot has always been more technically oriented. News for nerds, why would I expect you to not be a nerd? Maybe you missed that part? You're welcome to be here (even though some people on slashdot can be very abrasive), ask questions. However if you have trouble removing avast, I have a hard time feeling sorry for you. I have a friend that he could be the picture in the dictionary for a lay person and he was able to do it. No kidding. The dude is a bad check collector for the past 30 years. That's as far as he can go. He's not a cave man, however he's not far from it.

Doors are in front of you. Probably a lot of the same doors that were in front of me. You can leave them closed or you can use your brain to open them up. It's up to you. Don't expect empathy. You won't be disappointed if you don't expect it. I certainly don't expect any for my difficulties and failures.

Change it for Cisco and Intel (MCafee) products

Americans don't deserve any security.

Incredibly stupid

[darkonc]

The US government using Russian-made software to secure their machines is like the time that they let Russian workers build the Moscow embassy. It ended up being so bug-ridden that they had to rebuild parts of the new building in order to have a secure zone.

Re:Incredibly stupid

Does that mean we shouldn't have hired that Russian contractor to build the new NSA headquarters even though they were the lowest bidder?

Hard to believe this is a problem

Can't they just e-mail it all to Hillary Clinton? She knows how to deal with... this kind of thing. Or, have Michael Cohen pay it to go away... damn it all, I've been watching too much news lately, haven't I. Oh, wait! Send it to Leilani Estates in Hawaii... Yep. Too much news.

All foreign software/hardware is a risk.

[gestalt_n_pepper]

Don't think there are backdoors in Asian chips and boards?

Don't think there are other vulnerabilities put into software outsourced to India, China or Eastern Europe?

If so, you're an idiot, or just possibly a naive, uninformed, incompetent military/security timeserver more concerned with saving money and getting a good review than with actual national security.

Or maybe you're just stupid enough to trust our silicon valley overlords who do the actual outsourcing. I'm sure they give a shit about national security over profit.

Just a thought.

Re: If it wasn't government, there would be a solu

Then Congress does not get to make the claim they care about National Security.

funny if they just did it!

would be really funny if these people just carried out the order and got rid of the software and devices... shut everything down... they ought to do it... just to see what happens...!!!

Uninstalls should be tested early.

[middlebass]

When software is tested the testing should include the ease of a full uninstall, plus some regression testing to be sure the uninstall didn't have side effects. I stopped buying Logitech products about 15 years ago when one uninstall had side effects that took me 8 hours to fix.