Kaspersky Lab To Open Software To Review, Says Nothing To Hide (reuters.com) 152
Moscow-based Kaspersky Lab will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies. From a report: Kaspersky, which research firm Gartner ranks as one of the world's top cyber security vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials. It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said. "We've nothing to hide," Chairman and CEO Eugene Kaspersky said on Monday. "With these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.
Here you go: our full source code! (Score:3, Insightful)
(... except backdoor.c.)
Re: Here you go: our full source code! (Score:2)
Re: Here you go: our full source code! (Score:5, Insightful)
You are aware that a server can only collect data that the client sends, yes?
Re: (Score:2, Insightful)
You'll never find the back door in the source code, because the back door isn't source code.
Hint: Kaspersky is in Russia, and Russian spies probably have a copy of Kaspersky's SSL cert and code signing keys. Add those together, and you've got MITM trojan updates that look 100% legit ... anytime Russia feels like it, on a user-by-user basis.
Re: (Score:1)
As if Microsoft isn't in bed with the NSA, and could push out 'custom' Windows updates to any machine of interest.
Re: Here you go: our full source code! (Score:2)
Blue Coat Systems. Google it.
Re: Here you go: our full source code! (Score:2)
After the source is reviewed, you'd have to hand the source to some kind of trusted third party to build and package ... Particularly for a Windows app that is packaged with an installer program that has to be run with administrative privileges.
The source code reviewed may be clean as a whistle, but it doesn't necessarily represent what gets installed, and what gets installed isn't everything that runs on the target system.
Re: (Score:2)
and what gets installed isn't everything that runs on the target system.
The real problem isn't the software, it is the wrench that the programmers live within arms reach of.
Who cares how many squirrels are in the software? Hate to say it, there is nothing these guys can to regain trust at this point. Everybody knows about the wrench now, everybody knows they had no choice. Everybody knows they live in a country without individual rights where there is no way for the courts or anybody else to protect an individual business from being manipulated.
If they'd moved somewhere else wh
Re: (Score:2)
Still doesn't tell you what their installer did.
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Insightful)
You know...it would seem like an obvious first step would be to move the company the fuck out of Russia if they wanted to start generating trust of their product again.
As if USA is trustyworthy.
Re:Here you go: our full source code! (Score:5, Insightful)
Re: (Score:3)
The better question is what country to move to.
Re: (Score:1)
What about Switzerland?
Re: (Score:2)
Hm....flamebait?
Must be a large russian faction on slashdot these days?
Re: Here you go: our full source code! (Score:2)
Sure. But to what country should they move? It would need to be some place with actual national sovereignty - i.e. they cannot be bent to the will of Five Eyes, Russia, China, Israel, etc - that also has no desire to snoop on the world.
Does such a country actually exist? If so, I may want to go live there.
Re: (Score:2)
When will Denuevo be opened to inspection?
With every single piece of crippleware they publish, I bet there are more assembly level audits going on of that software than any other closed-source soft.
Re: (Score:2)
Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year,
after the backdoors have been removed
it said.
Source submitted (Score:1)
Re: (Score:2)
yeah, exactly. unless i can build the thing myself, it's still unsafe.
And even if you can, it may still be unsafe [win.tue.nl]. Who's to say your compilers or hardware are not compromised?
Re: (Score:2)
with something that large who is to say you would even catch it if there was something hidden in the code unless you intend to make auditing the code a full time job.
Re: (Score:2)
When you demand the source and the ability to build it yourself, does that leave a company with a viable product to sell and IP to maintain, or should they just be forced to give their product away for free and surrender all IP?
This makes no sense. There are tons of software for sale out there that come as source code and aren't open source. Being able to compile it yourself is no different from being able to install a huge Python, PHP, Perl or whatever server-side script for which you must pay. Sure, you can pirate it, but you can also pirate the binary for compiled software, so no difference there.
As for copying the algorithms, there are patent protections for that too, so the same idea applies.
Re: (Score:2)
Patent protection for algorithms? Only in the US and I thought that had been stopped.
AFAIK, you cannot patent the algorithm itself, but that doesn't prevent smart tech companies from patenting everything related to the algorithm except for the algorithm itself, so that it becomes practically impossible to use it anyway.
Example: iPhones' slide-to-unlock. They don't need to patent the small algorithm "change this boolean the finger moves from region A to region B" to make it unusable by anyone else without royalties payment. The same goes for everything else.
Re: (Score:2)
or should they just be forced to give their product away for free and surrender all IP?
They shouldn't be forced to do anything at all, hopefully we can all agree they they've been forced to do way too much already. Hopefully they can find some peace and a quieter life.
Re: (Score:2)
I see your point, but in this case, they could easily work as a subscription service whereby you are paying for the AV definitions.
Which of course begs the question: Are the AV definitions and engine updates scrutinized?
Re: (Score:1)
Do you mean back when software was distributed on mylar punched tape, or are you talking the really old sofware distributed on wired diode arrays?
Re: (Score:1)
So you're not talking about the much hearalded 'old days when software was free' in the 1960s. Because back then there were a few hundred computer installations of any size in the whole world, and the software was 'free' because the hardware it ran on cost many millions of dollars per system, and the hardware clock time to run software was metered in CPU seconds. The software was 'free' because there was hardly any of it, and it made sense for it to be free.
Re: (Score:2, Insightful)
I'm not making any kind of statement as to whether or not Kaspersky has done anything they're accused of, but what could they possibly do to prove to you that the accusations against them are false with statements like that? Let's be realistic here and recognize that fully open sourcing the product isn't a viable option.
At least in the US, people are supposed to be innocent until proven guilty, but we always seem ready to convict companies like Kaspersky in the Court of Public Opinion based on little more t
Re:Source submitted (Score:4, Insightful)
Build it and compare the result to the published binary?
Say, is it me or is it kinda odd that the accused has to prove his innocence? Last time that was due practice people got a cremation without prior demise.
Re: (Score:2)
Say, is it me or is it kinda odd that the accused has to prove his innocence? Last time that was due practice people got a cremation without prior demise.
Lawl. You seem a bit confused. That's criminal trial only. Civil suits the standard is only 'a preponderance of evidence.' Of course, none of that applies here, as this is all voluntary action from Kaspersky, in response to accusations. And also, of course, they still get to deal with The Court of Public Opinion, where the standard of evidence is more like 'She looks like witch! Does she weigh as much as as duck? BURN HER!'
Re: (Score:3)
Reproducible builds are hard.
Re: (Score:1)
Nationalism liberated the African continent from any of the cultural traditions that had made the African peoples humane and civilized in their past. Those cultural traditions predate the times when the European explorers arrived to corrupt the African peoples, btw.
When the Europeans withdrew, they left the borders drawn on the land that they had imposed there. This left the traditional social/political structures of the African peoples sliced up by artificial political boundaries, which is a BIG part of
Re: (Score:1)
There cannot be 'primary sources' on archive.org, because the sources regarding pre-colonial African civilization aren't housed on the Internet.
For cripes sake. There is a LOT of history that predates the creation of ARPANET.
And the point I was making regarding the existence of 'human and civilized pre-colonial African culture' isn't negated by warlords corrupted by the European colonialists. You're referring to small-time operators who pandered to the Europeans.
Stick to your white power websites if you
Re: Yeah sure (Score:2)
What primary sources do you suggest? My knowledge of African history is weak - I'd love to learn more.
Fwiw, archive.org has tons of old pre- internet books scanned and available.
Translation (Score:2)
Translation: we've finally hidden all the dodgy stuff.
P.S. Forrester says they're shite.
Re: (Score:2)
Clayton or Pearl?
If they really wanted vindication.... (Score:5, Interesting)
And I don't mean sue them through civil court for damages, I mean actually file real criminal charges against them. Since the government appears to want to keep being mum about why they are saying this about Kaspersky, their only defense against this would then be to go on-record as saying that this is in their opinion only, and not based on any actual findings.
Of course, none of this would necessarily prove that Kaspersky software can actually be trusted, but it would force the US government to shut up about it, unless they are prepared to reveal exactly *why* they believe the company is less than trustworthy (which I don't think they want to do).
Re: (Score:2)
I mean actually file real criminal charges against them
Please cite the law that makes slander or libel a criminal offense.
Also, please cite the law that allows a private entity to bring a criminal case against anyone.
Re: (Score:2)
It starts with a police report... since knowingly spreading false information about a person or company is actually illegal (and is the entire grounds for which one may be able to claim civil damages, if circumstances warrant it, but that's not what Kaspersky should be after here if they want to make headway). There is no lack of evidence to show that the allegation that Kaspersky Labs cannot be trusted began with the government, so the only thing remaining is to show either that it was true to the best
Re: (Score:2)
You must be new around here .... our current administration isn't interested in facts ... at least that's what I've been told.
They seem mostly interested in hearsay and getting ideas out into people's heads using the same techniques that despots like McCarthy used to spread FUD.
I mean, I'm not saying that, but that's what people seem to be saying.
Re: (Score:2)
Re:If they really wanted vindication.... (Score:4, Insightful)
The previous administration didn't care about facts either. Or the administration before that, or the one before that.
Quit pretending that this is unprecedented.
Re: (Score:2)
That's a lot of words to utterly fail at what you were trying to do.
Once again, please cite the law that makes slander and/or libel a criminal offense, and please cite the law that allows a private entity to bring a criminal case against someone.
(Just to save you some more typing, there are no such laws. The remedy for slander or libel is a civil case. And criminal charges can only be brought by the government.)
Also, you might want to google "States Secrets Privilege". Even if Kaspersky brought a civil s
Re: (Score:2)
Re: (Score:2)
Posting the statute against fraud in a second location does not suddenly turn it into a statute against slander or libel.
Also, you've still managed to not cite the law that allows a private entity to bring a criminal case against anyone.
Btw, you googled States Secrets Privilege yet?
Re: (Score:2)
That statute explcicitly *includes* slander and libel:
Re: (Score:2)
18 U.S.C. SS 1001
Re: (Score:3)
That's fraud, not slander or libel.
Re: (Score:2)
Knowingly spreading false information is covered in that section. See subsection (a) 2 and 3:
Re: (Score:2)
Yes, because spreading false information is a key element of fraud.
Slander and libel are not fraud, no matter how badly you want them to be.
Re: (Score:2)
I didn't suggest that they are fraud.... I suggest, however, that they are covered under the statute that I quoted, and are definitely against US federal law.
The key word in that statute is "knowingly"... so to not be guilty of violating that statute, all the government needs to do to avoid being guilty of the crime is either a) explain why they believe the claim to be true (and note, this is immaterial to whether or not it actually is true), or b) admit that the claim is only an opinion, and not founded
Soverign Immunity (Score:3)
Unless you can point to a statute wherein we've waived Sovereign Immunity for that exact type of lawsuit, that would violate the 11th Amendment:
https://legal-dictionary.thefreedictionary.com/11th+Amendment [thefreedictionary.com]
Re: (Score:2)
Impeachment (Score:2)
Oh how amazing would it be if Trump got impeached for violating the federal criminal code by slandering a Russian.
Won't happen (likely can't happen).
Re: (Score:2)
I haven't seen any defamation lawsuits that were criminal. Exactly who do you see them suing under which statute(s)? Also, many agents of the government have various forms of immunity for things they're doing as part of their job.
I don't think this is anywhere near as simple as you make it sound.
Re: (Score:2)
True... and although that might save them from the legal consequences, it wouldn't change the social ramifications. They would have to give themselves an official pardon for the act, which would be admitting that they were knowingly spreading false information in the first place.
Re: (Score:2)
Right... and it's at this point that I believe that any prosecution against the US government on this matter would actually probably fail. Either way, however, it gets the government to put up or shut up about it. In the unlikely event that the government is found guilty, they'll probably pardon themselves for it and not have any legal penalty, but then everyone would *know* that th
Re: (Score:2)
Yeah, but the thing is you're going to get an expensive diversion that doesn't even get to the point of actually talking about the issue. You have a long hard fight with respect to jurisdiction and immunity, where you're likely to lose on procedural grounds and never get to the point of even discussing whether the statements were true or not. And then you'd suffer a PR hit for losing on the basis that the government won't allow you to sue it.
In short, this really sounds like a money pit to me, rather than
Re: (Score:2)
I'm suggesting that it doesn't matter if the statements are true or not... the point of the criminal allegation would simply be to force the government to either provide evidence to substantiate it (which they don't seem to want to do), shut up about it (and retract the claims), or else admit they deliberately lied. Even if they did the latter, I'm quite aware there probably wouldn't be any actual legal consequences, but the PR implications would persist.
It might be a bit of a money pit in that there's
Re: (Score:2)
Right, but I'm saying that the lawsuit would be dismissed before you even got to the part of the lawsuit where the feds had to give out their evidence. And we're also neglecting that they can mumble "national security" and get out of showing their cards as well...
FWIW, Kaspersky did respond [securelist.com] to many of the allegations against it. There were also separate responses about picking up the NSA malware from the contractor's computer. The contractor's computer was backdoored & they ran a scan on it to get ri
Re: (Score:2)
I'm inclined to think that if they were going to play the "national security" card, they would have done so by now... putting it on the record that was really at stake.
Also, this wouldn't be a lawsuit, it would be a accusation of criminal behavior, which you couldn't dismiss on account of any lack of evidence in a criminal case on making false statements unless it was somehow in doubt that they ever made the statements in the first place. There is no such doubt, so there is no basis for dismissal before
Re: (Score:2)
See 18 U.S.C. SS 1001.
It is, in fact, a federal crime, and people have served time for it in the past... Martha Stewart comes to mind as one prominent recent example.
Re: (Score:2)
Very good (Score:5, Interesting)
If they do that, then that's absolutely great and reason alone to switch to Kaspersky. Everybody should welcome this.
Closed-source Antivirus and other security products (encryption, voting machines, credit card processing, etc.) tend to be fairly insecure for lack of external auditing. Companies go at great length to claim how careful they are etc., but the sad truth is that without any external auditing they will allow all kinds of blunders, fix vulnerabilities late and secretly, etc. This has been proven again and again.
It's definitely a step in the right direction. To say more about it, we'll need to see the printed results of the audits and who conducted them.
Re: (Score:2)
Re: (Score:2)
I have used ClamAV on Linux in the past, but wasn't very impressed. Anyway, the argument you seem to implicate is a non-sequitur. I'm saying that Kaspersky with a full audit by a trustworthy 3rd-party would be an awesome antivirus product and probably the best and most secure on the market. I am decidedly not saying that any random open-source antivirus program would be the best just because it's open source. By the way, I haven't checked but somehow doubt that ClamAV has been audited by a professional 3rd
Re: (Score:2)
If they do that, then that's absolutely great and reason alone to switch to Kaspersky.
Yes and no. Unless the code is completely open to review, compilation, and distribution all at the same point a code review doesn't really prove diddely squat since it's practically impossible to compare binaries to source code.
Not software freedom? Not advised to use. (Score:2)
No, in fact the continued lack of software freedom for users is precisely the reason users should reject Kaspersky's, Microsoft's, Norton's, McAfee's, and so many other nonfree anti-malware software.
Will deployment go through that party? (Score:5, Interesting)
Very simple question really - and I am biased towards Kaspersky's side on this argument - what is the assurance that the user-facing builds will be based solely on the reviewed code?
I am all in for transparency, especially in scenarios where there are serious accusations and serious finantial/security/privacy implications. But transparency cannot be dust in the eyes (is this a right use for the idiom?).
What they will find (Score:2)
The program detects arbitrary files and retrieves samples of them using signatures provided by a company in Russia.
oy shut it down (Score:3, Insightful)
Kaspersky is the one that identified the NSA and CIA tools right.....and Stuxnet
cant have those pesky east europoors discloing their debauchery
Re: (Score:3, Insightful)
Correct, Kaspersky is the only software of this type that we can even partially trust. All the raving on Capital Hill about Kaspersky is because it poses a severe threat to the US Government sponsored malware and spyware. All the US companies are properly heeled at their master's feet. Those foreign 'coyote' software companies must be hunted to extinction!!
Re: (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Add it in later/again (Score:2)
The problem with this is that with any antivirus software you have to keep the virus database and AV engine up to date for it to be effective.
So that means at any point in the future "backdoor.c" can be added and deployed automatically, and the users would be no wiser.
Also does this actually prove that the compiled binary blob is without a backdoor????
I don't think that was the point (Score:5, Interesting)
So what's an analysis of the source code going to show? That Kapersky sends back Word DOC files? Well... DERP.
The CEO of Kapersky has already defended his software's actions that pulled back code that looked like it was malicious and that they make no apologies for being aggressive in tracking cyber-crime.
More importantly will this release of the source code include their data tables for the signatures and key phrases they detect?
Oblig (Score:5, Insightful)
Kaspersky is guilty of "writing code while being Russian".
Russian kompromat (Score:2)
It mean nothing (Score:2)
Re: (Score:2)
Re: (Score:2)
So to me Kasperski is the safest as ONLY the Russians can read everything in the worst case. In the same worst case, with the rest, the Russians can read it, together with the Americans.
What makes you assume the US and Russia aren't sharing this sort of data? The public posturing?
Re: (Score:1)
Hillary wasn't elected, so the 'Reset Button' is not wired to anything any longer.
Pointless (Score:4, Insightful)
I'm sounding like a broken record posting the same kinds of comments to these Kaspersky stories. The software itself isn't the issue. What does antivirus software do? Reads files, analyzes them for various content / fingerprints, transfers any files it deems "suspicious" files back to the company for "analysis" (default setting, unless disabled by the user), and modifies and deletes files. Same with the system registry. There will be no surprises here - we already know the software has total access to read and write to anything on the system and transfer our files to 3rd parties.
The issue is the dynamic control of the software, not how the software was written. That is in the form of antivirus definitions, which are the fingerprints to identify malicious code, and the scripts used to clean (or simply delete) infected files, which are pushed to the software practically daily. THAT is the issue - who controls the behavior of the software. Let's go worst-case and assume Russia wanted to weaponize Kaspersky antivirus. All they have to do is force the company to identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware. Suddenly millions of Windows machines stop working. How does having access to the source code prevent that?
What we need is antivirus definitions that are controlled by some neutral "open" body that we can actually put some trust in. Currently, I rely on Microsoft's antivirus software. Why? Well, they already hold the keys to my system. They can already screw me over with a bad OS update (and it is harder and harder to disable automatic updates with each new version of Windows). So at least them having the ability to also screw me over with a bad antivirus update doesn't represent an entirely new vector by yet another 3rd party.
Re: (Score:2)
Fair point on that 2nd paragraph, especially to non-AV-savvy like me. But I'd like to point out that the Windows Defender (3rd paragraph) point doesn't make much sense after the grain of salt - nobody that cares for security (mostly sysadmins/or the "IT crowd") will ever consider stalling the OS support lifecycle (i.e. disable updates), but they will push them to non-office or downtime periods (weekends?), already posing a naive defense in itself from Microsoft's control.
Having standardized definitions is w
Windows OS as malicious files (Score:2)
identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware.
So, working as intended?
They have nothing to hide (Score:2)
Suggestion for a guaranteed build + anonymization (Score:2)
How about some security experts try to provide guidelines which would allow them to recommend to any government that they trust Kaspersky? This would be a major advance that would benefit all software vendors including competing antivirus vendors.
The idea is it costs money but this is an investment in infrastructure security so governments or cash-rich computer companies like google. microsoft, apple could fund it perhaps.
So far I have not heard of anything that has not got a potential workaround. Here is a
Open source by extortion (Score:1)
It's not the software, it's the conduit (Score:1)
By reporting back telemetry in a method that it can be used by trained "external advisory" Russian agents, it doesn't matter how the software works, it matters what it does and what route it takes.
The Cold War is back. Get used to it.
Tough sell (Score:1)
The market is never going to accept KL isn't sending all data to Moscow.
Even if they truly aren't.
I feel bad for them.
Nota bene (Score:2)
On a technical level this is pure BS: Kaspersky (and any other AV for that matter) updates include application components like libraries and binaries, so this source code audit is only valid for one particular version of the application which will be outdated days if not hours after being submitted. So, unless Kaspersky submits the source code continuously, this proposal is pretty much meaningless.
You need the tool chain too. (Score:2)
lol, what? (Score:2)
Do they really think people are ignorant enough to fall for this? Okay, actually the U.S. government undoubtedly is, but not the rest of us. Unless these security researchers with access to the source code are going to be the ones compiling it and releasing binaries, this is nothing but a pointless exercise. If they released verifiable builds, where independent security researchers could release a unique signature of the binaries generated from code they had compiled themselves, then *maybe* this would b
the rooskies are coming (Score:2)
Hitler gave Putin a high-five while they both kicked my dog!!!!!1!!
Bikini wax (Score:1)
Re: (Score:2)
It should be standard for *all* software, period. That's what the Open Source movement is all about.
People need to start thinking of proprietary software just like they do non-peer-reviewed scientific research. We need to build a web of trust.