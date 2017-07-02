Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com) 71

Posted by EditorDavid from the closed-source-world-problems dept.
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports: Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...

Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.

  • Beyond the paranoia, shouldn't American strive to buy American if there is an available competing product? I'm not "flag waving", but it does seem like at least one way to contribute to the American economy in some way.

    • The same argument then applied to every country who buys anything FROM the USA.

      There is over US$2 Trillion in exports to be put at risk by other countries doing the same.

      Does the USA really want to be locked out of 80% of the worlds economy and 94% of the worlds customers ?

      • The same argument then applied to every country who buys anything FROM the USA.

        I'm talking about sales to the Federal Government. Private entities can buy from whoever they like within the law.

        • Again, all other countries do the same.

          So that ends up including Health, Education, Military, Law and Order, etc etc. Worse is that governments end up dictating software to the private entities, for example if all government documents had to be in Latex or Open Office formats, private businesses would move over to that software accommodate the governments needs. Why do you think Microsoft works so hard to keep governments using their software ?

          So its not as simple as you make out.
  • Well, come on now, you really must answer, "Yes" if you are for open source and the ability of the user(s) to review the code. After all, isn't the U.S. Government right now saying that they don't trust the code? Or, they've got concerns, at least?

  • Closed source security software (Score:5, Insightful)

    by fred6666 ( 4718031 ) on Sunday July 02, 2017 @07:53PM (#54732049)

    Why should anyone trust closed source security software in the first place?

    • Nobody should have to trust any closed source software. Trusting Microsoft is a huge mistake because they have a horrible track record when it comes to writing secure software. Kaspersky Lab on the other hand actually has a good record for being an excellent anti-virus program. I would trust Kaspersky Lab over Microsoft but I don't have to trust either of them, so I don't.

    • I honestly agree with this. I think they should be demanding the source to all security relevant products, if for no other reason than that they can control and analyze them. When software is feature complete, business types love to shove it into maintenance mode, leave a skeleton crew to do security updates and in general lower the quality with each new release by trying to milk it.

    • Re: (Score:2)

      by AHuxley ( 892839 )
      Security software helps find nation state efforts
      Longhorn: Tools used by cyberespionage group linked to Vault 7
      https://www.symantec.com/conne... [symantec.com]
      Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org]
      Stuxnet https://en.wikipedia.org/wiki/... [wikipedia.org]
      Operation Socialist https://en.wikipedia.org/wiki/... [wikipedia.org]

  • Doesn't matter (Score:3)

    by mhkohne ( 3854 ) on Sunday July 02, 2017 @07:54PM (#54732055) Homepage

    Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.

    Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.

  • The real value of anti-virus software is not the source code, it's the data--the signatures it looks for to spot malware. I'm fine with them keeping their database proprietary. But why not make the source code freely available...unless they have something to hide!

    • Re: (Score:2)

      by Zemran ( 3101 )
      Something to hide? You mean like normal business practice? I am far more worried about the way they are rolling over.

  • Let's say they release some source code. Who could prove that the executable that customers use, was compiled from that source code, without modification?

  • a) Don't trust Symantec, they've got stuff to hide in their source code whether it's NSA-stuff or sloppy code.
    b) You can probably trust Kaspersky for most things except NSA-stuff.

    I've personally never trusted Symantec and I always thought Kaspersky was good enough for the home, I never considered them to be a serious contender in the enterprise-market. I have serious reservations about most US-based closed source (security) software and closed system hardware manufacturers. The NSA persuaded a relatively sm

  • The government is free to write its own anti-virus software.
  • How many US companies would want to show their source code to the Russian government? The Russia government has a far more trustworthy record in this area. Most malware now is based on code from the NSA. I think Kaspersky should not trust the US government and by doing so they become less trustworthy. If they rolled over on this how can we trust them not to allow changes to their code?

  • They are (to the extent it is applicable to anything that's Russian) a private company, at least on the US market, and they can hide or disclose whatever parts of the code they want, unless there's a subpoena or a search warrant. But by the same token, of course no agency in their right mind, much less a government agency, can possibly contemplate using anything developed by a KGB man.

  • "Russian anti-virus CEO offers up code for US govt scrutiny"
    http://hosted.ap.org/dynamic/s... [ap.org]
    "... ready to have his company's source code examined by U.S. government officials"
  • Catches a lot, low footprint, Czechoslovakia is just awesome.

  • TFA: "A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.""

    The same could be said by any foreign government or individual about Microsoft or Apple operating systems.

  • Seriously, let them decide "fuck the USA, we still have the rest of the world". Downside? Sales in the US fall. Upside? As the great lady sings "Are EE Ess Pee Ee See Tee".

    Give em the source. Downside? NSA says "damn, never thought of that.". Or "damn, they just found $NSA_Hack_Tool". Upside? Nothing I can think of, outside of sales in the US.

