Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government United States

Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com) 182

Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports: Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...

Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.

A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
This discussion has been archived. No new comments can be posted.

Should Kaspersky Lab Show Its Source Code To The US Government?

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Sunday July 02, 2017 @06:37PM (#54731981)

    Beyond the paranoia, shouldn't American strive to buy American if there is an available competing product? I'm not "flag waving", but it does seem like at least one way to contribute to the American economy in some way.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      What happens when you buy American? The "American" company that has it's actual headquarters in Ireland or the Bahamas (on paper at least) shifts it's profits into a Swiss bank account and then funnels the money back via a subsidiary in the Netherlands, helping no-one but their C-level executives.

      • As a resident of the Netherlands I think you're completely wrong. We also benefit a bit along with the C-levels :-)

    • Re: (Score:3, Insightful)

      by sit1963nz ( 934837 )
      The same argument then applied to every country who buys anything FROM the USA.

      There is over US$2 Trillion in exports to be put at risk by other countries doing the same.

      Does the USA really want to be locked out of 80% of the worlds economy and 94% of the worlds customers ?
      • The same argument then applied to every country who buys anything FROM the USA.

        I'm talking about sales to the Federal Government. Private entities can buy from whoever they like within the law.

        • Again, all other countries do the same.

          So that ends up including Health, Education, Military, Law and Order, etc etc. Worse is that governments end up dictating software to the private entities, for example if all government documents had to be in Latex or Open Office formats, private businesses would move over to that software accommodate the governments needs. Why do you think Microsoft works so hard to keep governments using their software ?

          So its not as simple as you make out.
        • Re: Buy American? (Score:5, Insightful)

          by nick_davison ( 217681 ) on Sunday July 02, 2017 @11:18PM (#54732817)

          So the federal government should only buy American where comparable American products exist?

          But you start playing the protectionist game and other countries' governments may return the favor you've shown to their economies by ordering non American whenever a comparable product exists.

          How well do you think Lockheed and Boeing will do when they're shut out of all European defense contracts because EADS, British Aerospace and SAAB all make comparable products?

          How much do you think the already massively cost overrunning F-35 will cost when you can only spread the development cost over US only sales? It's a project that only got off the ground because they figured in export sales to people like the U.K.

          It seems ironic that one faction within the US believes that a free market with minimal government involvement to skew that market is the key to success... except when it's politically expedient to add extra federal process to avoid a free market.

        • protectionism begets retaliatory protectionism. You want to be real sure you are going to be on the winning end of that before you start such a war.
    • Not only that, but just seeing the source is no guarantee. The gov't would have to inspect the source AND compile it and then use that executable. As well as examine all the various virus definition files and only use the ones they have examined. And then somehow make sure Kaspersky isn't holding back some of them and isn't intentionally using an incorrect virus def file (say one that lets through a Russian gov't virus).

    • by ( 4475953 )

      As far as I can see many Americans are worried about illegal NSA surveillance. I'll leave it open whether that's reasonable or unreasonable, but at least for those people it makes perfect sense not to run US antivirus software and instead use software from Russia, Romania, etc.

      By the same token, my answer to the headline question is No. The only effect of giving source code to the US government is that it will be handed over to the NSA who will then analyze it for weaknesses. (I'm fairly confident that they

    • obviously the us govt does not have the tech savvy balls to access kaspersky. if you have to ask, you are wrong. the courts...will support the evidence, they dont know any better.
    • If you believe in competition and competitiveness then no.

  • Well, come on now, you really must answer, "Yes" if you are for open source and the ability of the user(s) to review the code. After all, isn't the U.S. Government right now saying that they don't trust the code? Or, they've got concerns, at least?
  • by fred6666 ( 4718031 ) on Sunday July 02, 2017 @06:53PM (#54732049)

    Why should anyone trust closed source security software in the first place?

    • Nobody should have to trust any closed source software. Trusting Microsoft is a huge mistake because they have a horrible track record when it comes to writing secure software. Kaspersky Lab on the other hand actually has a good record for being an excellent anti-virus program. I would trust Kaspersky Lab over Microsoft but I don't have to trust either of them, so I don't.

      • by rtb61 ( 674572 )

        There is a real catch for closed source proprietary code security software, everyone knows exactly what the NSA/CIA will do, look for bugs and keep the results secret, so they can hack in any time they want, not matter the consequences in the interim, pack of morons. For Kaspersky there is nothing to win, they will never buy the software and when the lobbyists instruct the political appointees to lie, they will. They will discover a direct link in Kaspersky software to the KGB, Soviet Union and Stalin, talk

      • by cstacy ( 534252 )

        Nobody should have to trust any closed source software. Trusting Microsoft is a huge mistake

        The government doesn't trust Microsoft ; they have access to the source and audit it.
        Well, they sort-of trust them. And they sort-of audit it. Sometimes.

        You are aware that SE Linux is originally a product of the US military (DARPA) I assume?

        Of course, they're not auditing any software perfectly. I don't know how much the different
        parts of the government look at any of these systems. Probably not as thorough and ongoing as one would wish.

    • I honestly agree with this. I think they should be demanding the source to all security relevant products, if for no other reason than that they can control and analyze them. When software is feature complete, business types love to shove it into maintenance mode, leave a skeleton crew to do security updates and in general lower the quality with each new release by trying to milk it.

      • I honestly agree with this. I think they should be demanding the source to all security relevant products

        The word "security" is superfluous in this sentence. Where does "security" start? Or stop?

    • Re: (Score:2, Interesting)

      by AHuxley ( 892839 )
      Security software helps find nation state efforts
      Longhorn: Tools used by cyberespionage group linked to Vault 7
      https://www.symantec.com/conne... [symantec.com]
      Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org]
      Stuxnet https://en.wikipedia.org/wiki/... [wikipedia.org]
      Operation Socialist https://en.wikipedia.org/wiki/... [wikipedia.org]
    • by sad_ ( 7868 )

      and who's to say they will show the actual source? maybe they'll clean it up before handing over.

      • by swb ( 14022 )

        I'm sure there's some requirement to not just *see* the source, but to build it independently with the same toolchain and make sure you get the same executables.

        The problem with Kaspersky is that like all AV it's self-updating with definitions and program updates, it's not a static executable.

  • Doesn't matter (Score:4, Insightful)

    by mhkohne ( 3854 ) on Sunday July 02, 2017 @06:54PM (#54732055) Homepage

    Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.

    Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.

    • Re:Doesn't matter (Score:5, Insightful)

      by Anonymous Coward on Sunday July 02, 2017 @09:01PM (#54732551)

      So we shouldn't trust a Russian company because they may or may not have ties to the Russian government to do "bad things"

      But we have plenty of evidence the NSA has actually done real bad things and forced US companies to help and enable them to do it.
      So clearly we can't use any American software either.

      Where should we get our software from now?

      • Just as I understand China not wanting to take MS at it's word ...

        Hah! I get it, MS Word!

      • Correct.

        Every virus program is measured by its ability to quickly and effortlessly release updates to combat new threats, so who knows what new threats Kapersky might counter in a time of war.

        The major difference between the NSA and Russia is NSA will want every computer in the USA to keep functioning whereas in a time of war Russia would want every computer in the USA to stop functioning.

        • The major difference between the NSA and Russia is NSA will want every computer in the USA to keep functioning whereas in a time of war Russia would want every computer in the USA to stop functioning.

          Not sure that's been true for some time, if ever regarding the USA (government) wanting every computer in the USA to keep working. I believe just the opposite, that the US government views the US population as at least as much, if not more, of a threat than any foreign state, and wants the ability to hack into and/or shut down any civilian/private/individual network or computer in the US, and is so afraid of the population that it's willing to sacrifice security vs foreign states to obtain it.

          So far they've

      • by cstacy ( 534252 )

        So we shouldn't trust a Russian company because they may or may not have ties to the Russian government to do "bad things"

        But we have plenty of evidence the NSA has actually done real bad things and forced US companies to help and enable them to do it.
        So clearly we can't use any American software either.

        Where should we get our software from now?

        If you are a government / military, you should write it yourself.
        Or only use specific versions that you have audited and trust.

  • The real value of anti-virus software is not the source code, it's the data--the signatures it looks for to spot malware. I'm fine with them keeping their database proprietary. But why not make the source code freely available...unless they have something to hide!

    • by Zemran ( 3101 )
      Something to hide? You mean like normal business practice? I am far more worried about the way they are rolling over.
  • Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?

    • by Kjella ( 173770 )

      Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?

      Reproducible builds is a pretty big thing for open source too, for example Debian [debian.org]. As long as you have information about the build environment (compiler name and version, build flags, source path), the vast majority of packages will now give the exact same binary. If not there are typically small differences due to various system parameters that can be diff'ed and deciphered. How easy it would be for Kaspersky's code only they know, but with the US government's resources it should be no problem to verify th

  • a) Don't trust Symantec, they've got stuff to hide in their source code whether it's NSA-stuff or sloppy code.
    b) You can probably trust Kaspersky for most things except NSA-stuff.

    I've personally never trusted Symantec and I always thought Kaspersky was good enough for the home, I never considered them to be a serious contender in the enterprise-market. I have serious reservations about most US-based closed source (security) software and closed system hardware manufacturers. The NSA persuaded a relatively sm

    • What we really need is to only use open-source stuff.

      FTFY.

  • by Dunbal ( 464142 ) * on Sunday July 02, 2017 @07:28PM (#54732191)
    The government is free to write its own anti-virus software.
    • it's the kind of positive make-work project that does good things for the local economy. The guys I know in the defense industry make 2-3x the going rate for the equivalent work (unless they're high-end math guys, Wallstreet gobbles those guys up for HFT).
  • by Zemran ( 3101 ) on Sunday July 02, 2017 @07:34PM (#54732219) Homepage Journal
    How many US companies would want to show their source code to the Russian government? The Russia government has a far more trustworthy record in this area. Most malware now is based on code from the NSA. I think Kaspersky should not trust the US government and by doing so they become less trustworthy. If they rolled over on this how can we trust them not to allow changes to their code?
  • They are (to the extent it is applicable to anything that's Russian) a private company, at least on the US market, and they can hide or disclose whatever parts of the code they want, unless there's a subpoena or a search warrant. But by the same token, of course no agency in their right mind, much less a government agency, can possibly contemplate using anything developed by a KGB man.

  • Offered in 2006 (Score:4, Informative)

    by AHuxley ( 892839 ) on Sunday July 02, 2017 @07:43PM (#54732267) Journal
    "Russian anti-virus CEO offers up code for US govt scrutiny"
    http://hosted.ap.org/dynamic/s... [ap.org]
    "... ready to have his company's source code examined by U.S. government officials"
  • Catches a lot, low footprint, Czechoslovakia is just awesome.
  • TFA: "A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.""

    The same could be said by any foreign government or individual about Microsoft or Apple operating systems.

  • Seriously, let them decide "fuck the USA, we still have the rest of the world". Downside? Sales in the US fall. Upside? As the great lady sings "Are EE Ess Pee Ee See Tee".

    Give em the source. Downside? NSA says "damn, never thought of that.". Or "damn, they just found $NSA_Hack_Tool". Upside? Nothing I can think of, outside of sales in the US.
  • It's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President

    The funny part is that you can take this sentence, replace Russia by US, and state-owned by privately-owned, and it is still true.

  • Who believes the US government doesn't have a full copy of the source already?

  • For once, the answer to the headline is "yes."

    Yes, Kaspersky should show its source code to the US Government. They should show their source code to all of their users. All software should come with its source code. If you weren't convinced of that before, you should have been by the audit of Toyota's source code.

    http://www.safetyresearch.net/... [safetyresearch.net]

  • by nick_davison ( 217681 ) on Sunday July 02, 2017 @11:23PM (#54732827)

    It's important that the US government, the primary creator of forced backdoors and exploits, can make sure code doesn't have... oh.

    Now, if you'll excuse me, I've got to go and patch everything in my home due the the huge cache of zero day exploits the NSA were hoarding, rather than reporting, until they got leaked.

  • Who to trust? American Software? Ask the NSA, they will recommend it.
    If the russians want to spy, they at least want to spy on the government not on the people.

  • Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:

    From real life to gaming VR I've never heard of anyone being able to dispel suspicious.

  • Trustworthy? (Score:4, Insightful)

    by bradley13 ( 1118935 ) on Monday July 03, 2017 @02:05AM (#54733151) Homepage

    "Kaspersky Lab cannot be trusted to protect critical infrastructure"

    Whereas the US government is totally trustworthy. [zdnet.com] /sarc

  • by Tom ( 822 ) on Monday July 03, 2017 @02:37AM (#54733211) Homepage Journal

    Some speculate that Kaspersky, [...] kept his Soviet-era intelligence connections.

    No shit. Of course he did, you have to be a total idiot not to have connections to the intelligence sphere of the country you are operating in if you own a company in the security industry.

    The question should not be if he has connections. That's a given. You think McAfee has no such connections? The question is if they affect the product he is selling in a technically meaningful way. That he keeps such connections for the purpose of sales is clear.

    But hey, digging deeper than a sensationalist quote has fallen out of fashion, hasn't it?

  • Russia is a kleptocracy, and it's absurd to think they could not put the screw on Kaspersky. While they are based in or have assets in Russia, I certainly wouldn't use them. End of story.

    If Kaspersky resisted, it'd be bullets and polonium tea all around. Simple as that.

  • The Russian apparatchiks in the White House?

    Or the freedom fighters in Deep State?

  • What would be the point? they can upload security updates at any time to upload nefarious programs/functions. I get almost 6 Mb a day security updates from Norton how do i know they are not acting hand in hand what their government ? Or they are acting with someone else?
  • Kaspersky Lab should show it's source code to *everyone*, not just the U.S. government. It's absurd to even contemplate relying on a security product for which the source code is not publicly available. This case should highlight how incredibly absurd it is that proprietary software still exists in our society.

  • Don't look at the NSA, look at the Russians!

Nothing ever becomes real till it is experienced -- even a proverb is no proverb to you till your life has illustrated it. -- John Keats

Working...