US Government Can't Get Controversial Kaspersky Lab Software Off Its Networks

The law says American agencies must eliminate the use of Kaspersky Lab software by October. But U.S. officials say that's impossible as the security suite is embedded too deep in our infrastructure, The Daily Beast reported Wednesday. From a report: Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware -- and nobody is certain how to get rid of it. "It's messy, and it's going to take way longer than a year," said one U.S. official. "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of "any hardware, software, or services developed or provided, in whole or in part," by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed "Kaspersky-branded" products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky's presence in federal networks in the wake of Russia's 2016 election interference campaign.

Re:Prior art

[khandom08]

It's Trojan horses all the way down....

Re:AI Solution?

Al is looking into it. (He prefers Alphonse, BTW) He said the Kapersky shit is like Norton and is a bitch to get off of the machines.

It'd be best to just trash the machines and start with all new ones.

Alphonse knows a guy who knows a guy who can get really cheap machines. His name is Wong Wei Wang. His company is based in Beijing and is called (English translation) Friendly Not Government Controlled Computer Company. The Trump administration has already OKay'd it. Eric is such a great guy according to Wong.

The question to ask..

[lionchild]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

Re:The question to ask..

[flink]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

You have to manage a network using McAfee HBSS.

You joke, but that is, in fact, the apporved DoD solution:
https://www.disa.mil/cybersecu...

If this had been an actual emergency

[Sloppy]

The government is lucky this Kaspersky scare is bullshit, then. If this had been an actual emergency (e.g. the software were doing something bad, whether by design or due to some random bug that you can't fix because it's proprietary), sounds like everything would be totally fucked.

Re:If this had been an actual emergency

[Aighearach]

It is a known fact that you don't have the information needed to determine it is "bullshit."

And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

Since knowledge of the evidence for the concern is classified, you don't know about it; and even if you had a security clearance, we know your job doesn't involve knowledge of these particulars because then you wouldn't be allowed to tell us. So by definition, you can't know it is bullshit; you either have reasons to believe it is a problem, because there is public information about what the danger is in losing control of a network, or you don't fucking know.

I'll give you a hint: If your opinions about network security are based on your domestic politics, you're a fucking idiot.

Re:If this had been an actual emergency

Actually, the entire backstory of this whole farse is very widely known in cybersecurity circles, including the so-called "classified" facts (which are widely disseminated outside the US where said "classification" of otherwise widely known information is not relevant).

Here are the crib notes and timeline, without dates:

- Equation group leaks
- Equation Group software widely attributed to NSA in cybersecurity circles
- Kaspersky researchers tie Equation Group to creators of both stuxnet and Flame via forensic analysis (note they DO NOT call out NSA here, but anyone with half a brain can put 2 and 2 together)
- US military and/or NSA (not totally known as it is "classified") become involved in middle east anti-terrorism espionage using malware deployed on public wifi networks
- Kaspersky publishes research on said malware, again without attributing it to anyone, but making it public
- US military and/or NSA (not totally known as it is "classified") have to pull out of their espionage and invoke a burn order since they are exposed

To make it even shorter - Kaspersky did their job. Because their job exposed US government activities, the US government got pissed.

Re:If this had been an actual emergency

It is a known fact that you don't have the information needed to determine it is "bullshit."

Precisely right. Just because the US Government says that Kaspersky Lab Software is a risk validates nothing about there being an actual risk. Of course, that by definition makes the evaluation bullshit.

And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

If it's such an emergency and the whole network is fuck, then the US Government position is bullshit for so loudly declaring a problem that leaves over a year of time to be exploited.

Since knowledge of the evidence for the concern is classified, you don't know about it; and even if you had a security clearance, we know your job doesn't involve knowledge of these particulars because then you wouldn't be allowed to tell us. So by definition, you can't know it is bullshit; you either have reasons to believe it is a problem, because there is public information about what the danger is in losing control of a network, or you don't fucking know.

National Security in this context is bullshit when the cat is already out of the bag. If the problem is really that severe, then the US government should revert to other, secure means and Congress should be paying for the switch over. Since none of this is happening, It's business as usual. Business as usual says the US is doing great which is either (1) bullshit disinformation for politicos, (2) bullshit disinformation to hide the cyber security clusterfuck, or (3) possibly an actual accurate assessment of the situation within their assessment abilities. I imagine it's a combination of the 3, which makes it bullshit.

I'll give you a hint: If your opinions about network security are based on your domestic politics, you're a fucking idiot.

If you listen to Aighearach's arguments on what to believe, are you any better?

Re:If this had been an actual emergency

This. Pretty obvious to anyone even remotely near the security consultancy field.
Combine that with all these accusations without anyone ever pointing out what and how the software is doing anything bad.

Re:If this had been an actual emergency

[rtb61]

Kind of stupid to ban and attack foreign software because of course that makes a giant target of all US software. The US government is basically broadcasting a public message that US software can not be trusted because they will put back doors in it. This because they failed to prove anything wrong with Kaspersky software, just that they expect the Russian government to do what the US government does with security letters.

M$ Windows anal probe 10, with it's unique to you updates, oh yeah, one security letter and that update is truly unique, straight up firmware hacking unique and just so you know, that goes all the way back to stale piss - XP. I trust Kaspersky software over M$ software. Still FOSS is the safest way to go, operating system and all applications.

Still the hacking bullshit though and yet the only actual charge, thirteen trolls and a Russian click bait company.

Virus or Anti-Virus

[coolmoose25]

If you can't get your Anti-Virus software off of your equipment, is it really anti-virus, or has it just become another virus?

Re:Virus or Anti-Virus

[gweihir]

Alternatively, they just have terminally incompetent and grossly underfunded IT people. That strikes me as a massively bigger risk than the alleged (but not really credible) risks from Kaspersky.

Huh?

[rsilvergun]

bullshit. Do a week of training with one of their competitors, uninstall the old stuff, install the new stuff, call it a day. None of this is difficult. These are software programs designed to take care of security for end users.

Re:Huh?

[AvitarX]

And if the issue is a piece of security software embedded in the equipment?

It sounds like it's a budgeting issue more than a capability one. They can't do it within their existing budget, not that they can't do it at all.

Re:Huh?

[dyfet]

I think you missed the part about "embedded in routers", etc...

Re:Huh?

[jbmartin6]

The article wasn't at all clear about what "code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware" means

If it wasn't government, there would be a solution

[xxxJonBoyxxx]

>> Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with

In the real world, I'd go to Kaspersky's biggest competitors and say, "if you replace these guys on a one-to-one basis (at no charge this year), we'll give you their support contracts in future years."

I smell BS

[sheph]

A government agency with no slack in their budget? Inability to remove third party software because it's embedded too deeply? This has all the look and feel of another tax payer shakedown.