Should Kaspersky Lab Show Its Source Code To The US Government?

Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports: Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...

Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.

Buy American?

[Frosty Piss]

Beyond the paranoia, shouldn't American strive to buy American if there is an available competing product? I'm not "flag waving", but it does seem like at least one way to contribute to the American economy in some way.

Re:

[Anonymous Coward]

What happens when you buy American? The "American" company that has it's actual headquarters in Ireland or the Bahamas (on paper at least) shifts it's profits into a Swiss bank account and then funnels the money back via a subsidiary in the Netherlands, helping no-one but their C-level executives.

Re:

[thegarbz]

As a resident of the Netherlands I think you're completely wrong. We also benefit a bit along with the C-levels :-)

Re:

[Errol backfiring]

You must be the one watering the plants.

If you can read Dutch, this article [www.ftm.nl] explains you only need a chair and a plant to use the Dutch tax haven.

Re:

[thegarbz]

Can you caution paywall that next time to save me the hassle? But yes, that's kind of how the Belastingdienst works.

Re:

[sit1963nz]

The same argument then applied to every country who buys anything FROM the USA.

There is over US$2 Trillion in exports to be put at risk by other countries doing the same.

Does the USA really want to be locked out of 80% of the worlds economy and 94% of the worlds customers ?

Re:

[Frosty Piss]

The same argument then applied to every country who buys anything FROM the USA.

I'm talking about sales to the Federal Government. Private entities can buy from whoever they like within the law.

Re:

[sit1963nz]

Again, all other countries do the same.

So that ends up including Health, Education, Military, Law and Order, etc etc. Worse is that governments end up dictating software to the private entities, for example if all government documents had to be in Latex or Open Office formats, private businesses would move over to that software accommodate the governments needs. Why do you think Microsoft works so hard to keep governments using their software ?

So its not as simple as you make out.

Re: Buy American?

[nick_davison]

So the federal government should only buy American where comparable American products exist?

But you start playing the protectionist game and other countries' governments may return the favor you've shown to their economies by ordering non American whenever a comparable product exists.

How well do you think Lockheed and Boeing will do when they're shut out of all European defense contracts because EADS, British Aerospace and SAAB all make comparable products?

How much do you think the already massively cost overrunning F-35 will cost when you can only spread the development cost over US only sales? It's a project that only got off the ground because they figured in export sales to people like the U.K.

It seems ironic that one faction within the US believes that a free market with minimal government involvement to skew that market is the key to success... except when it's politically expedient to add extra federal process to avoid a free market.

Re: Buy American?

[easyTree]

Never buy American. More CO2 is used per unit work. Think of the environment!

Re:

[gravewax]

protectionism begets retaliatory protectionism. You want to be real sure you are going to be on the winning end of that before you start such a war.

Re:

[cstacy]

>> The same argument then applied to every country who buys anything FROM the USA.

> I'm talking about sales to the Federal Government. Private entities can buy from whoever they like within the law.

If you suspect a foreign entity (from Russia in the present case), what should a buyer in another country think about foreign products from the USA?

They should think it may contain backdoors/vulnerabilities and possibly even be deliberately compromised by the United States government. And I can assure you that they DO already think this. Why the United States government -- particularly the military -- is basing the security of its IT infrastructure on a product from a Russian company with close ties to the KGB is just incomprehensible.

At least now they are going to audit the software. Unfortunately, they will miss things.
(They would also miss things if

Re:

[fuzzyfuzzyfungus]

It isn't just AV outfits. I don't know how much arm-twisting this originally may have involved; but Microsoft will let suitably qualified government customers [microsoft.com] look at the code. Given that the people who don't respect your copyrights have access to pirated versions anyway; and you don't really want "Security" to be an automatic winning argument against using your product, I imagine that it's not too hard a case to make.

What I wonder more about is how much this access actually helps those who have it. Anti

Re:

[chuckugly]

Yeah security software in particular tends to also be pretty complex, with a lot of hooking, filtering, and other kernel shenanigans along with service level support and user mode hooking. I guess source would help in looking for obvious remote backdoors a lot, but actual full on analysis would be probably beyond most if not all enterprises and probably a lot of state agencies.

Re:

[fuzzyfuzzyfungus]

Unless you grovelled quite carefully over every new batch of virus signatures and heuristics(not necessarily a good idea if it delays protection against viruses that could already be hitting your gullible users; and not necessarily an easy task, if the number of occasions when an AV vendor has accidentally broken the OS or some common program by misidentifying it as a virus is anything to go by); even a fully 'non-malicious' antivirus program could turn very unpleasant very fast with the wrong update.

Be

Re:

[chuckugly]

Modern AV is not even primarily based on old fashioned signatures; this is a common misconception. Top tier AV vendors still include and devote significant resources to signature based protection but it's just one facet of the overall defense. Reviewers that concentrate on testing against the sort of threats signature based portions of AV protection excel against probably don't help with killing this misconception. Other means of determining the validity of a process image or data include crowd sourced repu

Re: Buy American?

[easyTree]

Agreed. One only needs to look at the way unconscious xenophobia (arguably a bug in our psyche) may be exploited and escalated to gain additional permissions by unscrupulous government.

Re:

[someone1234]

Probably for the same reason (US government means CIA/NSA too), Kaspersky is rightfully anxious.
Russian or US, these governments are all the same, i wouldn't even be surprised if some hackers are on both payrolls.

Re:

[Frosty Piss]

Maybe if the american AV companies didn't make such a horrible bloated POS that kills half of your PCs performance. It's probably not written in america anyways. Probably from India

Windows Defender works great and gets good reviews even from Windows haters. But you're right, it was probably written in India, or at least by H1B Indians in Redmond...

Re:

[davester666]

Not only that, but just seeing the source is no guarantee. The gov't would have to inspect the source AND compile it and then use that executable. As well as examine all the various virus definition files and only use the ones they have examined. And then somehow make sure Kaspersky isn't holding back some of them and isn't intentionally using an incorrect virus def file (say one that lets through a Russian gov't virus).

Re:

As far as I can see many Americans are worried about illegal NSA surveillance. I'll leave it open whether that's reasonable or unreasonable, but at least for those people it makes perfect sense not to run US antivirus software and instead use software from Russia, Romania, etc.

By the same token, my answer to the headline question is No. The only effect of giving source code to the US government is that it will be handed over to the NSA who will then analyze it for weaknesses. (I'm fairly confident that they

Re: Buy American?

[dougdonovan]

obviously the us govt does not have the tech savvy balls to access kaspersky. if you have to ask, you are wrong. the courts...will support the evidence, they dont know any better.

Re: Buy American?

[aliquis]

If you believe in competition and competitiveness then no.

Re:

[sycodon]

"sure, here's mode code right here. I promise it's the real thing"

Regardless of the other arguments, who really thinks he will provide the real code?

covfefe !

[DrYak]

he will tweet a 3am patch for the backdoors

Oh, then that's what Covfefe was !
That's why "The president and a small group of people know exactly what he meant [by covfefe]" !
It was a super secret code word to fix a vulnerability in Microsoft Windows before the Petya ransomware spreads ?

You must answer, "Yes"...

[Captain Ramage]

Well, come on now, you really must answer, "Yes" if you are for open source and the ability of the user(s) to review the code. After all, isn't the U.S. Government right now saying that they don't trust the code? Or, they've got concerns, at least?

Closed source security software

[fred6666]

Why should anyone trust closed source security software in the first place?

Re:

[Gravis Zero]

Nobody should have to trust any closed source software. Trusting Microsoft is a huge mistake because they have a horrible track record when it comes to writing secure software. Kaspersky Lab on the other hand actually has a good record for being an excellent anti-virus program. I would trust Kaspersky Lab over Microsoft but I don't have to trust either of them, so I don't.

Re:

[rtb61]

There is a real catch for closed source proprietary code security software, everyone knows exactly what the NSA/CIA will do, look for bugs and keep the results secret, so they can hack in any time they want, not matter the consequences in the interim, pack of morons. For Kaspersky there is nothing to win, they will never buy the software and when the lobbyists instruct the political appointees to lie, they will. They will discover a direct link in Kaspersky software to the KGB, Soviet Union and Stalin, talk

Re:

[cstacy]

Nobody should have to trust any closed source software. Trusting Microsoft is a huge mistake

The government doesn't trust Microsoft ; they have access to the source and audit it.
Well, they sort-of trust them. And they sort-of audit it. Sometimes.

You are aware that SE Linux is originally a product of the US military (DARPA) I assume?

Of course, they're not auditing any software perfectly. I don't know how much the different
parts of the government look at any of these systems. Probably not as thorough and ongoing as one would wish.

Re:

[Xenographic]

I honestly agree with this. I think they should be demanding the source to all security relevant products, if for no other reason than that they can control and analyze them. When software is feature complete, business types love to shove it into maintenance mode, leave a skeleton crew to do security updates and in general lower the quality with each new release by trying to milk it.

Re:

[RockDoctor]

I honestly agree with this. I think they should be demanding the source to all security relevant products

The word "security" is superfluous in this sentence. Where does "security" start? Or stop?

Re:

[AHuxley]

Security software helps find nation state efforts
Longhorn: Tools used by cyberespionage group linked to Vault 7
https://www.symantec.com/conne... [symantec.com]
Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org]
Stuxnet https://en.wikipedia.org/wiki/... [wikipedia.org]
Operation Socialist https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[sad_]

and who's to say they will show the actual source? maybe they'll clean it up before handing over.

Re:

[swb]

I'm sure there's some requirement to not just *see* the source, but to build it independently with the same toolchain and make sure you get the same executables.

The problem with Kaspersky is that like all AV it's self-updating with definitions and program updates, it's not a static executable.

Doesn't matter

[mhkohne]

Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.

Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.

Re:Doesn't matter

[Anonymous Coward]

So we shouldn't trust a Russian company because they may or may not have ties to the Russian government to do "bad things"

But we have plenty of evidence the NSA has actually done real bad things and forced US companies to help and enable them to do it.
So clearly we can't use any American software either.

Where should we get our software from now?

Re:

[Frosty Piss]

Just as I understand China not wanting to take MS at it's word ...

Hah! I get it, MS Word!

Re:

[Darkling-MHCN]

Correct.

Every virus program is measured by its ability to quickly and effortlessly release updates to combat new threats, so who knows what new threats Kapersky might counter in a time of war.

The major difference between the NSA and Russia is NSA will want every computer in the USA to keep functioning whereas in a time of war Russia would want every computer in the USA to stop functioning.

Re:

[BlueStrat]

The major difference between the NSA and Russia is NSA will want every computer in the USA to keep functioning whereas in a time of war Russia would want every computer in the USA to stop functioning.

Not sure that's been true for some time, if ever regarding the USA (government) wanting every computer in the USA to keep working. I believe just the opposite, that the US government views the US population as at least as much, if not more, of a threat than any foreign state, and wants the ability to hack into and/or shut down any civilian/private/individual network or computer in the US, and is so afraid of the population that it's willing to sacrifice security vs foreign states to obtain it.

So far they've

Re:

[cstacy]

So we shouldn't trust a Russian company because they may or may not have ties to the Russian government to do "bad things"

But we have plenty of evidence the NSA has actually done real bad things and forced US companies to help and enable them to do it.
So clearly we can't use any American software either.

Where should we get our software from now?

If you are a government / military, you should write it yourself.
Or only use specific versions that you have audited and trust.

Not just the government!

[Tony Isaac]

The real value of anti-virus software is not the source code, it's the data--the signatures it looks for to spot malware. I'm fine with them keeping their database proprietary. But why not make the source code freely available...unless they have something to hide!

Re:

[Zemran]

Something to hide? You mean like normal business practice? I am far more worried about the way they are rolling over.

Re:

[Opportunist]

It's easy to write code that morphs, but hard (in my opinion impossible) to write it in such a fashion that it cannot be identified.

Back when morphing code was still en vogue (back when malware writers put in some effort into their work, today it's mostly the same shoddy hacks that any other commercial software is), part of my job was to develop routines that could identify morphing malware. With some it was easy, with some it was hard (and I distinctly remember one particularly nasty bugger that we could o

What difference does it make?

[Tony Isaac]

Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?

Re:

[Kjella]

Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?

Reproducible builds is a pretty big thing for open source too, for example Debian [debian.org]. As long as you have information about the build environment (compiler name and version, build flags, source path), the vast majority of packages will now give the exact same binary. If not there are typically small differences due to various system parameters that can be diff'ed and deciphered. How easy it would be for Kaspersky's code only they know, but with the US government's resources it should be no problem to verify th

What to learn from this article

[guruevi]

a) Don't trust Symantec, they've got stuff to hide in their source code whether it's NSA-stuff or sloppy code.
b) You can probably trust Kaspersky for most things except NSA-stuff.

I've personally never trusted Symantec and I always thought Kaspersky was good enough for the home, I never considered them to be a serious contender in the enterprise-market. I have serious reservations about most US-based closed source (security) software and closed system hardware manufacturers. The NSA persuaded a relatively sm

Re:

[king neckbeard]

Most people have more to fear from their own government than from Russia. Thus, a Russian backdoor is less of a concern than an American backdoor.

Re:

[king neckbeard]

No, it's because an enemy of my enemy is slightly less of an enemy to me. That's why Snowden was safe in Russia. He is an enemy of the US government, and so is the Russian government.

Re:

[Gravis Zero]

What we really need is to only use open-source stuff.

FTFY.

Re:

[hduff]

Yes. The CIA has developed its Open Source OS. Feel free to use it.

No fucking way

[Dunbal]

The government is free to write its own anti-virus software.

They probably should

[rsilvergun]

it's the kind of positive make-work project that does good things for the local economy. The guys I know in the defense industry make 2-3x the going rate for the equivalent work (unless they're high-end math guys, Wallstreet gobbles those guys up for HFT).

Would a US company do the same?

[Zemran]

How many US companies would want to show their source code to the Russian government? The Russia government has a far more trustworthy record in this area. Most malware now is based on code from the NSA. I think Kaspersky should not trust the US government and by doing so they become less trustworthy. If they rolled over on this how can we trust them not to allow changes to their code?

of course they shouldn't

[Yurka]

They are (to the extent it is applicable to anything that's Russian) a private company, at least on the US market, and they can hide or disclose whatever parts of the code they want, unless there's a subpoena or a search warrant. But by the same token, of course no agency in their right mind, much less a government agency, can possibly contemplate using anything developed by a KGB man.

Offered in 2006

[AHuxley]

"Russian anti-virus CEO offers up code for US govt scrutiny"
http://hosted.ap.org/dynamic/s... [ap.org]
"... ready to have his company's source code examined by U.S. government officials"

Re:Offered in 2006

[AHuxley]

Cyber spying risks the future of the internet (Nov 7 2013)
http://www.smh.com.au/it-pro/s... [smh.com.au]
We are opening an office in [Washington] DC for this reason. We will send our source code, you can check our source code. You're welcome."

solution: Eset NOD32

[elcor]

Catches a lot, low footprint, Czechoslovakia is just awesome.

Re: solution: Eset NOD32

[dunkelfalke]

Can I borrow your time machine?

Re:

[elcor]

oh god - does it suck now? (I admit I've been on mac since 2009)

Re:

[dunkelfalke]

It is not that good anymore, but that was not my point. Czechoslovakia has ceased to exist 25 years ago.

It seems . . .

[hduff]

TFA: "A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.""

The same could be said by any foreign government or individual about Microsoft or Apple operating systems.

Why should they?

[Snotnose]

Seriously, let them decide "fuck the USA, we still have the rest of the world". Downside? Sales in the US fall. Upside? As the great lady sings "Are EE Ess Pee Ee See Tee".

Give em the source. Downside? NSA says "damn, never thought of that.". Or "damn, they just found $NSA_Hack_Tool". Upside? Nothing I can think of, outside of sales in the US.

Spy-agencies power

[manu0601]

It's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President

The funny part is that you can take this sentence, replace Russia by US, and state-owned by privately-owned, and it is still true.

Show of hands

[DivineKnight]

Who believes the US government doesn't have a full copy of the source already?

For once...

[MSG]

For once, the answer to the headline is "yes."

Yes, Kaspersky should show its source code to the US Government. They should show their source code to all of their users. All software should come with its source code. If you weren't convinced of that before, you should have been by the audit of Toyota's source code.

http://www.safetyresearch.net/... [safetyresearch.net]

Beware Of Backdoors

[nick_davison]

It's important that the US government, the primary creator of forced backdoors and exploits, can make sure code doesn't have... oh.

Now, if you'll excuse me, I've got to go and patch everything in my home due the the huge cache of zero day exploits the NSA were hoarding, rather than reporting, until they got leaked.

Paranoia

[allo]

Who to trust? American Software? Ask the NSA, they will recommend it.
If the russians want to spy, they at least want to spy on the government not on the people.

I'd like to see it happen

[GeekWithAKnife]

Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:

From real life to gaming VR I've never heard of anyone being able to dispel suspicious.

Trustworthy?

[bradley13]

"Kaspersky Lab cannot be trusted to protect critical infrastructure"

Whereas the US government is totally trustworthy. [zdnet.com] /sarc

connections

[Tom]

Some speculate that Kaspersky, [...] kept his Soviet-era intelligence connections.

No shit. Of course he did, you have to be a total idiot not to have connections to the intelligence sphere of the country you are operating in if you own a company in the security industry.

The question should not be if he has connections. That's a given. You think McAfee has no such connections? The question is if they affect the product he is selling in a technically meaningful way. That he keeps such connections for the purpose of sales is clear.

But hey, digging deeper than a sensationalist quote has fallen out of fashion, hasn't it?

Dear Leader Putin Does What He Likes

[Maritz]

Russia is a kleptocracy, and it's absurd to think they could not put the screw on Kaspersky. While they are based in or have assets in Russia, I certainly wouldn't use them. End of story.

If Kaspersky resisted, it'd be bullets and polonium tea all around. Simple as that.

Which US government?

[WillAffleckUW]

The Russian apparatchiks in the White House?

Or the freedom fighters in Deep State?

Pointless

[Stan92057]

What would be the point? they can upload security updates at any time to upload nefarious programs/functions. I get almost 6 Mb a day security updates from Norton how do i know they are not acting hand in hand what their government ? Or they are acting with someone else?

It should show its source code to EVERYONE

[hackel]

Kaspersky Lab should show it's source code to *everyone*, not just the U.S. government. It's absurd to even contemplate relying on a security product for which the source code is not publicly available. This case should highlight how incredibly absurd it is that proprietary software still exists in our society.

Oceania

[easyTree]

Don't look at the NSA, look at the Russians!

Re:

[gweihir]

No moderation option "-1 Moron", so posting it instead.

Re:

[gweihir]

I am not an AC hiding behind anonymity like the scum you are. And who says moderators cannot be morons as well? Incidentally, he is now at "0, Insightful" meaning he got modded down again, because a smart moderator undid the mistake the other one made.

Re:

[gweihir]

Indeed. But Trump followers often resemble Trump, so that is not much of a surprise.

Re:

[king neckbeard]

No, I want Trump shot into the sun, but at worst, Russia used journalism against America, which is GOOD for the people, albeit bad for the government.

Re:

[king neckbeard]

I suppose traitor would be the closer answer. I'm opposed to my government because I give a shit about my country. I think we should release anything bad on Putin, Russian hackers should release anything bad on us, and rinse and repeat for every other country in the world. Then, we get plenty of sunshine, and the cockroaches scatter.

Re:

[king neckbeard]

Yeah, but he's a different kind of liar, which was slightly less disgusting to a portion of the population. Particularly, he told the truth on some issues, such as TPP. Had the Dems nominated Sanders, a lot of that appeal would have been gone.

Re:

[king neckbeard]

It was good for US corporations, but bad for US workers.

Re:

[hduff]

I e-mailed all my gay clown porn to vlad247@aol.com. He wrote me back a nice thank you letter. I now run Kaspersky on all my devices without fear!

Links or STFU.

Re:

[king neckbeard]

Because Putin's anti-virus would be the one most likely to not have NSA backdoors, which is what an American citizen should be concerned about.

Re:

[king neckbeard]

But even in your metaphor, proximity matters. If I have two shields, one strong against the Scylla and weak against the Charybdis, one strong against the Charybdis and weak against the Scylla, and I'm sailing pasting the Scylla, I would be a fool to not choose the shield strong against the Scylla, even though it is weak against the Charybdis, because the Charybdis is too far away to be a real concern.

Ultimately, I'd advise against using Windows altogether, but that's an entirely different conversation.