Forgot your password?
typodupeerror
Security Operating Systems IT Politics

Kaspersky's Exploit-Proof OS Leaves Security Experts Skeptical 196

Posted by timothy
from the trust-maybe-but-certainly-verify dept.
CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."
This discussion has been archived. No new comments can be posted.

Kaspersky's Exploit-Proof OS Leaves Security Experts Skeptical

Comments Filter:
  • by KrazyDave (2559307) <htcprog@gmail.com> on Friday October 19, 2012 @06:15PM (#41711075) Homepage
    ... doesn't mean that Kaspersky isn't still tied to Russian military interests. Proceed with caution.
    • by Sir_Sri (199544)

      Being tied to them doesn't necessarily mean a whole lot. The Russians have as much of a vested interest as everyone else in spying on their friends and enemies, and while the roles may be reversed from NATO the russians are almost certainly spying on the Syrians and Iranians as much if not more than we are: The russians want to be sure they'll get paid.

      Sure, it would be nice if there was a magical operating system not easily exploited by intelligence agencies or computers of any sort tied to any dubious g

      • by farble1670 (803356) on Friday October 19, 2012 @07:08PM (#41711503)

        pre-cold war:

        USSR-based companies: in bed w/ the USSR government
        US-based companies: in bed w/ whoever pays them

        post-cold war:

        Russian-based companies: in bed w/ whoever pays them
        US-based companies: in bed w/ whoever pays them

        • by trifish (826353)

          So um, in bed with millions of people and thousands of corporations from DOZENS of different countries? Yeah, certainly there are no conflicting interests in that bed... Sheesh, what is called insightful post today.

    • by cpghost (719344)
      Doesn't this equally apply to all software vendors, irrespective of their nationality? And while we're at it: doesn't it ALSO apply equally well to hardware vendors? Do you really trust ASICs made in China, from blueprints drawn up in UK from a company that may have a Pakistani mole in its dev team, who has been bought by the Russian FSB or the Brazilian equivalent of the CIA?
    • by Hentes (2461350)

      It's not like this changes the current security guidelines. Only trust software you have analyzed the source of.

      • That limits you to software you wrote yourself, or rather small programs written by others. Chances of having the skills and time to meaningfully analyse an OS and browser for example are almost nil.

        • by Hentes (2461350)

          I didn't say it should be the job of only one person, obviously a big organisation will have many people on it. I only pointed out that software you don't have the source of shouldn't be trusted regardless of who is the developer.

  • A rigorous definition of "exploit" could be a challenge, and proving an operating system to be safe against them would be a major theoretical challenge.

    So start with something easier to assess: prove whether the operating system will halt.

    If you can't solve the easier problem, don't pretend to have solved the harder problem.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I see what you did there! However, I think you misunderstand the halting problem: given a certain program, of course there may be a way to determine if it halts. However, the halting problem says that there is no algorithm that does this for all possible programs.

      • by loufoque (1400831)

        What you said is equivalent.
        You're the one not understanding what the halting problem is.

        Given a program, you cannot necessarily prove that it will halt or not. This is somewhat related to the incompleteness theorem: not all assertions can be proven.

    • prove whether the operating system will halt

      One of the few applications where proving that it will halt always leads to a bug being filed.

  • by Aryeh Goretsky (129230) on Friday October 19, 2012 @06:18PM (#41711111) Homepage

    Hello,

    This is a very interesting move by Eugene Kaspersky. Speaking as both someone who has worked at an embedded systems manufacturer (VoIP telephony gear) and also as a competitor (antimalware) I know that each one has very specialized toolchain requirements and that expertise in one area does not necessarily translate to mastery of the other.

    Probably more curious is the timing of the announcement: It seems an odd time for a Russian antimalware company whose founder has close ties to that country's intelligence agencies to announce a new operating system for critical infrastructure tasks, especially since the US House Intelligence Committee is tearing into Chinese telecom gear vendors Huawei Technologies and ZTE over concerns about the security of their products.

    That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.

    Regards,

    Aryeh Goretsky

    • by WGFCrafty (1062506) on Friday October 19, 2012 @07:14PM (#41711527)

      That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.

      Regards,

      Aryeh Goretsky

      "I have little experience but trust him". Why? Considering this article specifically questions the integrity of his ability to be partial, you should say why.

      And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in alengthy profile forWired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.

      Can you as a business trust ANYONE who says stuff like that to protect your critical infrastructure/production lines?

    • by afxgrin (208686) on Friday October 19, 2012 @07:16PM (#41711547)

      Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...

      • by afxgrin (208686)

        This is the warning I get [siteadvisor.com]

        In case anyone wanted some evidence. :-)

      • Hello,

        That is very annoying; especially considering that I'm a former McAfee employee from long ago (1989-1995). I will yell at^H^H^H^H^Hpolitely ask someone over there to fix it. Thanks for letting me know.

        Regards,

        Aryeh Goretsky

        Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...

      • by Wingman 5 (551897)

        Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...

        Damn websites with their skydiving and their investments of money in fly by night businesses!

    • As someone who's known Aryeh professionally over many years, I do know that he's well qualified to make these comments.

      While I've never worked for a competitor, as he has, I have been at times extremely active in the antimalware circuit and do trust Kaspersky software. They're good people, and smart as hell, just need to work on improving their products some.

      That aside; Hey goretsky, long time no see :)

  • by Mr2cents (323101)

    This will fly right until the first exploit, after which all belief will be broken. I'm in an optimistic mood: I'll give it a year.

    • Thinking about it further, it might be possible if you make it totally unusable. (No you can't install a browser (are you NUTS?), no you can't download a file, no you can't run a server, no you can't do anything, get away from my keyboard you LUSER!). Should be great fun.

    • This will fly right until the first exploit, after which all belief will be broken. I'm in an optimistic mood: I'll give it a year.

      IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing. It's a dummy program used for things like anchoring JCL file allocations.

      There have been at least 5 releases of it, although one was an upgrade to 64-bit integers. The others all count as bugfixes. Because when it comes to computers, even doing nothing does something.

      • by Guy Harris (3803)

        IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing. It's a dummy program used for things like anchoring JCL file allocations.

        There have been at least 5 releases of it, although one was an upgrade to 64-bit integers. The others all count as bugfixes. Because when it comes to computers, even doing nothing does something.

        The first of them was, allegedly, the S/3x0 assembler-language and OS/360 equivalent of replacing

        int
        main(void)
        {
        }

        with

        int
        main(void)
        {
        return 0;
        }

        as per this RISKS Digest message [ncl.ac.uk] (the OS/360 and C calling sequences both treat a return from the main program as an "exit", with the exit status being the numerical return value of the main program).

        • IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing. It's a dummy program used for things like anchoring JCL file allocations.

          There have been at least 5 releases of it, although one was an upgrade to 64-bit integers. The others all count as bugfixes. Because when it comes to computers, even doing nothing does something.

          The first of them was, allegedly, the S/3x0 assembler-language and OS/360 equivalent of replacing

          int
          main(void)
          {
          }

          with

          int
          main(void)
          {
          return 0;
          }

          as per this RISKS Digest message [ncl.ac.uk] (the OS/360 and C calling sequences both treat a return from the main program as an "exit", with the exit status being the numerical return value of the main program).

          Actually, I think it was more like:

          "return x-x";"

          And in rare cases, where "x" (actually the contents of General Register 15) had the right value in it, this would ABEND the program due to an arithmetic overflow error. Which lead to the second fix, which also had a bug...

      • by whoever57 (658626)

        IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing.

        That's what they want you to believe, in fact it does .....+++ carrier lost +++

  • by nzac (1822298) on Friday October 19, 2012 @06:21PM (#41711135)

    I know its not exploit proof but becoming a platinum sponsor and insisting they spend the money on code review. Then make custom modifications to remove all functionality and you should get close.

    If the people buying and operating these systems really cared about security I am sure they could piece together a far more secure solution at the expense of cost and convenience from current software.

    • by gman003 (1693318)

      That would be a good start, but you'd need some further work. Most notably, the scheduler - unless things have changed since 3.8, OpenBSD doesn't have a real-time, hard-constraint scheduler, which is an absolute necessity for such a system. And the scheduler is big and complex enough to be a security risk - so you'll spend quite a bit of effort to make sure your new one is secure.

      But yeah, OpenBSD certainly wouldn't be the worst OS to start from for a project like this.

  • I think it would be great if he could actually pull this off. He's made himself into a huge target, though. Also, even if he does, our government would never use it, because they'd be worried about spying.
  • by gujo-odori (473191) on Friday October 19, 2012 @06:32PM (#41711231)

    There are a lot of levels of trust. For a machine that doesn't handle anything secret or financial data (including personal), Windows is generally good enough, for all its long history of exploits. Even then, many, many people and organizations use it for things that are secret or financial data anyway. Sometimes they get burned that way. A Mac is (maybe) a little better. Linux is better still.

    Then there's a level of trust way out at the extreme end. If the secrets are serious enough, you can't trust the system you built it yourself from source and audited every single line of said source. Since hardly anyone can do that, having it audited and built by people you trust (in the case of the government, the NSA, for example) has to due. If it's even more sensitive, the network, or maybe even the machine, should also be air-gapped.

    If you have a sensitive use case such as, oh, I don't know, running centrifuges to enrich uranium, should you trust a binary OS that wasn't built by your people to be either secure against exploits or to not be already trojaned? Of course not. Just ask the Iranians. Or the Russians themselves, who had a little refinery trouble during the cold war because of that.

    In such a case, you either want your people writing the code, or at least very carefully auditing every single line of the source, then building the binaries from that code. If you don't or can't, especially in the case of embedded systems, you cannot have any confidence that software is even secure against exploits, let alone that it won't turn on you.

  • Two things (Score:5, Insightful)

    by Gonoff (88518) on Friday October 19, 2012 @06:38PM (#41711283)
    1 - The cold war is over. Capitalism won (not democracy).
    2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.
    • Re:Two things (Score:5, Insightful)

      by circletimessquare (444983) <circletimessquar ... m minus language> on Friday October 19, 2012 @07:42PM (#41711687) Homepage Journal

      the american spooks will fuck you up for doing something against their geopolitical agenda

      so will the russians. but in addition, the russian spooks will fuck you up for doing something against the russian political status quo (and of course, the chinese too)

      america has going for it a genuinely much better tolerance for political dissent. you can say things about obama you can't say about putin or hu jintao. and that matters, it really matters

      but if you want to belittle that difference, you probably live in the west and have a well established antiestablishment attitude

      ok, now try that same antiestablishment attitude against moscow... in moscow. or against beijing... in beijing. exactly: your attitude just tells us you don't appreciate what you have

      in short, there is no nation you can fully trust. only differences in degrees. and the usa currently leads the list of trustworthiness of the superpowers. not that the usa doesn't have a lot of room for improvement. and not that it can't backslide. but currently it's the shinest piece of crap on top of the shit pile

      • by mcrbids (148650)

        There is nobody you can completely trust. In fact, the idea of completely trusting anything or anyone doesn't even make sense.

        You might trust your antivirus vendor to not maliciously plant viruses into your system, but you can be sure that they aren't out to make sure that their protection doesn't cost you as much as they can reasonably get out of somebody's back pocket. Further, if they didn't have that financial interest, they wouldn't have an interest in providing any kind of service to you at all.

        Balanc

    • 2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.

      What are you? Some kind of multinational Corporation? Or are you originally from Tibet?

      Personally, I'm just a nobody living in the US. I'm much more afraid of the US authorities than any other foreign government.

      Now if I was a nobody living in China, then yes, I might fear the Chinese government, but as it stands, China can't audit my taxes, only the US can audit my taxes. The same goes for my personal life, my voting record, my patriotism, my religious fervor, my sexual preference, or my music collection.

      • by drinkypoo (153816)

        What you should fear, then, is the USA using "flaws" in Chinese gear to spy on you. Do you _really_ think the world's major powers are _enemies_ at this point? A war on their own soil would be proof of real enmity, but all the wars are fought through proxies.

        • by bhiestand (157373)

          What you should fear, then, is the USA using "flaws" in Chinese gear to spy on you. Do you _really_ think the world's major powers are _enemies_ at this point? A war on their own soil would be proof of real enmity, but all the wars are fought through proxies.

          By that logic, the USSR and US were not enemies during the Cold War, either.

          Between nuclear powers with robust second strike capabilities, direct shooting wars are extremely unlikely. It doesn't mean they aren't maneuvering for the others' complete annihilation, just that they aren't willing to blow up the entire planet to bring it about.

          That said, I don't believe the US, China, or Russia can be considered "enemies". They are dynamic relationships where the countries can be opposed on some issues and alli

  • Very simple... (Score:5, Insightful)

    by ArcadeNut (85398) on Friday October 19, 2012 @06:42PM (#41711313) Homepage

    If it's man made and accessible, it's exploitable.

    Thinking otherwise is foolish.

    • This idea that we could build a magical "exploit proof" OS if only we want to bad enough is stupid. While some exploits happen because of stupid design decisions, far more happen because of simple unintended consequences.

      With an OS you are in the difficult position of needing to offer access but trying to keep out unauthorized access, and to do so in an ecosystem of arbitrary software on the system. That's a real hard problem to solve. Any time you build a door, it can be used for both wanted and unwanted v

  • Thanks for underlining the mistake. It's impossible to miss that way.
  • Not possible (Score:4, Insightful)

    by Waffle Iron (339739) on Friday October 19, 2012 @07:00PM (#41711451)

    Although improvements can certainly be made, it's simply not possible to make a useful computer totally exploit proof,

    This is because ultimately, the PEBKAC.

    • Kaspersky is foolish. I make OSs too, and there can be no Exploit Proof OS. You can't make an exploit proof OS on insecure hardware. DMA == Direct Memory Access. [wikipedia.org] Any device that uses DMA (and there are tons: PCI, Firewire, etc.), can read and write all memory everywhere in the system without any software being able to stop them. Look, I'm all for creating a very secure OS, but first we must create secure HARDWARE. It's not as if the OS can protect itself from exploitable hardware with firmware bugs.

  • It is possible, Kaspersky wrote, because it will not be something for the masses, but, "highly tailored, developed for solving a specific narrow task, and not intended for playing 'Half-Life' on, editing your vacation videos, or blathering on social media."

    Odd, I thought blathering was one of his favorite past times! :-)

  • Sorry... what!?!?!?! (Score:5, Interesting)

    by bernywork (57298) <bstapleton@@@gmail...com> on Friday October 19, 2012 @07:05PM (#41711479) Journal

    Something in me thinks that we've been down this path before....

    It all comes down to who's watching the watchers....

    Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?

    If you have the source code and the policies, both of which can be externally audited, how can you (As an external person) screw this up?

    I remember back in the old old Solaris days dealing with buffer overflows in the driver stack to get remote root, but those days are gone, you would never get that permission to access that executable, let alone open a socket.

    If you've got SELinux + policies it's here and it's here now.

    Just in case you think this is a pro-Linux rant...

    Microsoft have spent a truck load of money on "trustworthy computing" to find new exploits, to the extent that they have honeypots to find new stuff for back testing.

    They don't have a watchdog yet, they've started with Windows Defender, but that's nowhere near low level enough yet, and the whole anti-competitive landscape, plus developer buy in (And unfortunately a lot of devs don't know exactly what they're really doing) makes it difficult to say the least. They are still a couple of OS released away from making it work.

    • Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?

      SELinux wasn't intended to be highly secure. It's an add-on to Linux, after all, not a new OS. The purpose of SELinux was to get a mandatory-security system out and widely used so that applications would be written to run under tight restrictions. Read what NSA originally wrote about it.

      A big problem with secure operating systems is getting applications to run in a secure environment. That means saying "no" a lot. No, your game can't find out what else is running. No, Photoshop can't snoop the LAN for o

  • by identity0 (77976) on Friday October 19, 2012 @07:06PM (#41711487) Journal

    I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?

    And why is the hacker scene so big there?

    • by TubeSteak (669689) on Friday October 19, 2012 @08:49PM (#41711997) Journal

      Russia and the former soviet states:
      1. A strong educational system (that is churning out computer scientists)
      2. Lack of opportunities in the computer science field
      3. No laws to curtail computer crime or minimal enforcement where laws exist.
      4. Strong tradition of organized crime

      Mix all these things together and you get hotspots of computer crime.
      There are towns where you can find everything starting with the guy who is writing the malware,
      to the guy translating your website/e-mail into english, and ending with the guys who cash out bank accounts and launder the money.

    • by melikamp (631205)
      Decent science education, at least until recently. Besides, the Russian law enforcement has lots of blackhats on payroll, almost certainly, since that's exactly their MO. They are masters of spoofing, misinformation, and sabotage. I bet half the time China hacks US, it's actually Russians hacking China, and then US through China.
    • I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?

      There used to be one in the former USSR, since they couldn't really buy Western hardware. They had government-sponsored operations to buy foreign hardware through third parties, tear the hardware apart, and cloning it. I suppose the same thing was probably happening for pirating Western software as well, thought I'm not sure if the Soviet government was directly involved in that one. Pirating and writing software patches was just something everybody did since they couldn't buy Western software through norma

  • follow the "Ferengi Rules of Aquisition". That way the only thing that's exploited is your wallet.

  • by aNonnyMouseCowered (2693969) on Friday October 19, 2012 @07:53PM (#41711747)

    "Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran"

    I'm worried by this blurring of distinctions in the historical significance of the two events. Whatever your political persuasion, Pearl Harbor was a de facto declaration of war. It was a strike against a military target carried out by a true nation state. The "9/11" terrorist attack was something else. It was carried out by an independent group that at worst can be described as being in an alliance of convenience with some foreign government.

    By confusing our figures of speech for two clearly different types of cyberattacks, the danger is that the same counterattack methods will be used for both. Treating "9/11" as an act of war, and not simply as a well-coordinated distributed terrorist attack, led to a trillion-dollar War on Terror. On hindsight did it make sense to send out a nation's armies to deal with a few hundred suspected terrorists? Wouldn't it have been better if the intelligence agencies dealt with the issue, resorting to large military strikes only when the intelligence and situation warranted?

    So now will the hometowns/countries of suspected Anonymous members be the target of the same massive disruption of IT services that US would launch in retaliaton for a supposed cyberattack from Iran or China?

    • by fnj (64210)

      So the two events were different in character. So what? Panetta said we could be facing one OR the other. What part of that warning implies a blurring of distinctions?

  • Exploit-Proof was one of the main requeriments of OpenBSD when it started 17 years ago.

  • While it would certainly be nice if this claim were true (I doubt it is), social engineering is a bigger problem and one that, one would think, we could see more benefit in working to eliminate than the benefit we might see from buying some outrageous claim.
  • Deducing whether the code is safe or not based on the authors' nationality or background is just ridiculous.

  • by Eyeball97 (816684) on Friday October 19, 2012 @08:30PM (#41711915)

    To claim that anything is exploit proof requires a level of arrogance and/or stupidity I hadn't thought possible outside of government.

  • In theory? Yes. Without oversight or public code review?

    Heh. ...

    Wait, you were serious?

  • What's a Star Wars force field? I've heard of Star Wars deflector shields but never any mention of force fields. Perhaps the author was thinking of Star Trek.
    • What's a Star Wars force field? I've heard of Star Wars deflector shields but never any mention of force fields. Perhaps the author was thinking of Star Trek.

      See comment below. And then hand in your geek badge, you Trekkie! I kid..I'm a Trekkie.

  • I think we all know that the Death Star shield was not impenetrable... All it took to take it down was a small group of rebels and a clever social hack (aka, "we've got the rebels on the run, sir!")
  • If he seriously wants to brag about his exploit-free OS, let him put it out there in the world. Better yet, let us look at the source. Anything else is just words. Let's see the code.
  • ... the real reason is you can have computers delay and analyze all incoming requests then pass the data on to the 'real computer' or you can keep your computers off the net and whitelist what it can communicate with. The only failure being the human element (who has access to your computers).

    You can have high performance or tight security, pick one. The more "secure" you make a computer the more time you spend in observing and analyzing requests.

  • I've met the guy, and he's one of the few who doesn't play ball in the intercept world of "please don't recognise our code as a virus so we can listen in. We're the good guys, honest".

    What I see is a lot of conjecture that what Kaspersky is doing cannot be secure because of reasons that have zilch to do with the code in question.

    It is very simple: if you want to use it, you will have to have it evaluated by people YOU trust. Stop with the political BS, that has nothing to do with the security of the platf

  • I confronted the problem of trust when evaluating PGP for private use. How could I be sure that PGP wasn't a ruse sponsored by the US government?

    PGP was supposedly written by Phil Zimmerman, a counterculture hero. It's authenticity is vouched for by numerous institutions and academics.But I don't know Zimmerman personally,nor am I familiar with those institutions, nor do i know those academic names personally. On the other hand, i do know that criminal confidence men easily build up phones web sites mim

  • Given the uber-paranoid viewpoint of the Dept of Defense on things computer, does anyone know if Kaspersky's AV is not allowed on DOD computer systems? Not that the guys/gals running DOD cybersecurity are perfect and on top of things, but the are paranoid enough to be worried about KAV if they see K's involvement with the Russion government and/or crime syndicates as a potential problem.

What this country needs is a dime that will buy a good five-cent bagel.

Working...