Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United States

Kaspersky Lab To Open Software To Review, Says Nothing To Hide (reuters.com) 152

Moscow-based Kaspersky Lab will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies. From a report: Kaspersky, which research firm Gartner ranks as one of the world's top cyber security vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials. It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said. "We've nothing to hide," Chairman and CEO Eugene Kaspersky said on Monday. "With these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.
This discussion has been archived. No new comments can be posted.

Kaspersky Lab To Open Software To Review, Says Nothing To Hide

Comments Filter:
  • by Anonymous Coward on Monday October 23, 2017 @09:10AM (#55417231)

    (... except backdoor.c.)

    • Or, it's the source code to only the client and refer any data collection in the same light as Firefox, to which the wording is now creepy as hell and on by default with no warning. I want to know what's going on server side that all users blindly agree to in the EULA.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You'll never find the back door in the source code, because the back door isn't source code.

      Hint: Kaspersky is in Russia, and Russian spies probably have a copy of Kaspersky's SSL cert and code signing keys. Add those together, and you've got MITM trojan updates that look 100% legit ... anytime Russia feels like it, on a user-by-user basis.

    • After the source is reviewed, you'd have to hand the source to some kind of trusted third party to build and package ... Particularly for a Windows app that is packaged with an installer program that has to be run with administrative privileges.

      The source code reviewed may be clean as a whistle, but it doesn't necessarily represent what gets installed, and what gets installed isn't everything that runs on the target system.

      • and what gets installed isn't everything that runs on the target system.

        The real problem isn't the software, it is the wrench that the programmers live within arms reach of.

        Who cares how many squirrels are in the software? Hate to say it, there is nothing these guys can to regain trust at this point. Everybody knows about the wrench now, everybody knows they had no choice. Everybody knows they live in a country without individual rights where there is no way for the courts or anybody else to protect an individual business from being manipulated.

        If they'd moved somewhere else wh

    • That goes back in with the next update after the reviews are completed. Uninstall Krapersky and pick sth else, case closed.
    • Hint: the backdoor isn't in the source, it's in the compiler used to build the source.
  • Well they can show the source, but that may not be the source used to build the product.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I'm not making any kind of statement as to whether or not Kaspersky has done anything they're accused of, but what could they possibly do to prove to you that the accusations against them are false with statements like that? Let's be realistic here and recognize that fully open sourcing the product isn't a viable option.

      At least in the US, people are supposed to be innocent until proven guilty, but we always seem ready to convict companies like Kaspersky in the Court of Public Opinion based on little more t

    • by Opportunist ( 166417 ) on Monday October 23, 2017 @10:21AM (#55417641)

      Build it and compare the result to the published binary?

      Say, is it me or is it kinda odd that the accused has to prove his innocence? Last time that was due practice people got a cremation without prior demise.

      • Say, is it me or is it kinda odd that the accused has to prove his innocence? Last time that was due practice people got a cremation without prior demise.

        Lawl. You seem a bit confused. That's criminal trial only. Civil suits the standard is only 'a preponderance of evidence.' Of course, none of that applies here, as this is all voluntary action from Kaspersky, in response to accusations. And also, of course, they still get to deal with The Court of Public Opinion, where the standard of evidence is more like 'She looks like witch! Does she weigh as much as as duck? BURN HER!'

      • by fisted ( 2295862 )

        Reproducible builds are hard.

  • Translation: we've finally hidden all the dodgy stuff.

    P.S. Forrester says they're shite.

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Monday October 23, 2017 @09:25AM (#55417313) Journal

    ... they'd charge the government with slander/libel.

    And I don't mean sue them through civil court for damages, I mean actually file real criminal charges against them. Since the government appears to want to keep being mum about why they are saying this about Kaspersky, their only defense against this would then be to go on-record as saying that this is in their opinion only, and not based on any actual findings.

    Of course, none of this would necessarily prove that Kaspersky software can actually be trusted, but it would force the US government to shut up about it, unless they are prepared to reveal exactly *why* they believe the company is less than trustworthy (which I don't think they want to do).

    • I mean actually file real criminal charges against them

      Please cite the law that makes slander or libel a criminal offense.

      Also, please cite the law that allows a private entity to bring a criminal case against anyone.

      • by mark-t ( 151149 )

        It starts with a police report... since knowingly spreading false information about a person or company is actually illegal (and is the entire grounds for which one may be able to claim civil damages, if circumstances warrant it, but that's not what Kaspersky should be after here if they want to make headway). There is no lack of evidence to show that the allegation that Kaspersky Labs cannot be trusted began with the government, so the only thing remaining is to show either that it was true to the best

        • You must be new around here .... our current administration isn't interested in facts ... at least that's what I've been told.

          They seem mostly interested in hearsay and getting ideas out into people's heads using the same techniques that despots like McCarthy used to spread FUD.

          I mean, I'm not saying that, but that's what people seem to be saying.

          • by mark-t ( 151149 )
            I'm not alleging that they are... I'm only suggesting using the justice system to either force the government to put up or shut up about it. It doesn't matter if they've made stuff up... they are going to either have to present what basis they had for believing the allegation that Kaspersky software cannot be trusted or else they would have say that it is their opinion only (which is, as I said, a valid defense against criminal prosecution for relevant crime). By going on-record that it is only their op
          • by Archangel Michael ( 180766 ) on Monday October 23, 2017 @12:15PM (#55418379) Journal

            The previous administration didn't care about facts either. Or the administration before that, or the one before that.

            Quit pretending that this is unprecedented.

        • That's a lot of words to utterly fail at what you were trying to do.

          Once again, please cite the law that makes slander and/or libel a criminal offense, and please cite the law that allows a private entity to bring a criminal case against someone.

          (Just to save you some more typing, there are no such laws. The remedy for slander or libel is a civil case. And criminal charges can only be brought by the government.)

          Also, you might want to google "States Secrets Privilege". Even if Kaspersky brought a civil s

          • by mark-t ( 151149 )
            18 U.S.C. SS 1001(a)2
            • Posting the statute against fraud in a second location does not suddenly turn it into a statute against slander or libel.

              Also, you've still managed to not cite the law that allows a private entity to bring a criminal case against anyone.

              Btw, you googled States Secrets Privilege yet?

              • by mark-t ( 151149 )

                Posting the statute against fraud in a second location does not suddenly turn it into a statute against slander or libel

                That statute explcicitly *includes* slander and libel:

                (a) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully--

                (1) falsifies, conceals, or covers up by any trick, scheme, or device[ , ] a material fact;
                (2) makes any materially false, f
      • by mark-t ( 151149 )
        Oh, and by the way...

        Please cite the law that makes slander or libel a criminal offense.

        18 U.S.C. SS 1001

        • That's fraud, not slander or libel.

          • by mark-t ( 151149 )

            Knowingly spreading false information is covered in that section. See subsection (a) 2 and 3:

            (a) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully--

            (1) falsifies, conceals, or covers up by any trick, scheme, or device[ , ] a material fact;
            (2) makes any materially false, fictitious, or fraudulent statement or representation; or
            (3) makes or uses any
            • Yes, because spreading false information is a key element of fraud.

              Slander and libel are not fraud, no matter how badly you want them to be.

              • by mark-t ( 151149 )

                I didn't suggest that they are fraud.... I suggest, however, that they are covered under the statute that I quoted, and are definitely against US federal law.

                The key word in that statute is "knowingly"... so to not be guilty of violating that statute, all the government needs to do to avoid being guilty of the crime is either a) explain why they believe the claim to be true (and note, this is immaterial to whether or not it actually is true), or b) admit that the claim is only an opinion, and not founded

    • Unless you can point to a statute wherein we've waived Sovereign Immunity for that exact type of lawsuit, that would violate the 11th Amendment:

      The Judicial power of the United States shall not be construed to extend to any suit in law or Equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State.

      https://legal-dictionary.thefreedictionary.com/11th+Amendment [thefreedictionary.com]

      • by mark-t ( 151149 )
        What you've cited would only protect them from a civil lawsuit. It does not protect them from prosecution for violating an actual federal law
        • Oh how amazing would it be if Trump got impeached for violating the federal criminal code by slandering a Russian.

          Won't happen (likely can't happen).

        • I haven't seen any defamation lawsuits that were criminal. Exactly who do you see them suing under which statute(s)? Also, many agents of the government have various forms of immunity for things they're doing as part of their job.

          I don't think this is anywhere near as simple as you make it sound.

          • by mark-t ( 151149 )
            As I mentioned elsewhere, what happened to Martha Stewart is just one noteworthy example in relatively recent times.

            Also, many agents of the government have various forms of immunity for things they're doing as part of their job.

            True... and although that might save them from the legal consequences, it wouldn't change the social ramifications. They would have to give themselves an official pardon for the act, which would be admitting that they were knowingly spreading false information in the first place.

  • Very good (Score:5, Interesting)

    by ( 4475953 ) on Monday October 23, 2017 @09:28AM (#55417339)

    If they do that, then that's absolutely great and reason alone to switch to Kaspersky. Everybody should welcome this.

    Closed-source Antivirus and other security products (encryption, voting machines, credit card processing, etc.) tend to be fairly insecure for lack of external auditing. Companies go at great length to claim how careful they are etc., but the sad truth is that without any external auditing they will allow all kinds of blunders, fix vulnerabilities late and secretly, etc. This has been proven again and again.

    It's definitely a step in the right direction. To say more about it, we'll need to see the printed results of the audits and who conducted them.

    • If you truly believe this are you using ClamAV? [clamav.net]
      • by ( 4475953 )

        I have used ClamAV on Linux in the past, but wasn't very impressed. Anyway, the argument you seem to implicate is a non-sequitur. I'm saying that Kaspersky with a full audit by a trustworthy 3rd-party would be an awesome antivirus product and probably the best and most secure on the market. I am decidedly not saying that any random open-source antivirus program would be the best just because it's open source. By the way, I haven't checked but somehow doubt that ClamAV has been audited by a professional 3rd

    • If they do that, then that's absolutely great and reason alone to switch to Kaspersky.

      Yes and no. Unless the code is completely open to review, compilation, and distribution all at the same point a code review doesn't really prove diddely squat since it's practically impossible to compare binaries to source code.

    • If they do that, then that's absolutely great and reason alone to switch to Kaspersky. Everybody should welcome this.

      No, in fact the continued lack of software freedom for users is precisely the reason users should reject Kaspersky's, Microsoft's, Norton's, McAfee's, and so many other nonfree anti-malware software.

      Closed-source Antivirus and other security products (encryption, voting machines, credit card processing, etc.) tend to be fairly insecure for lack of external auditing. Companies go at great leng

  • by cloud.pt ( 3412475 ) on Monday October 23, 2017 @09:31AM (#55417349)

    Very simple question really - and I am biased towards Kaspersky's side on this argument - what is the assurance that the user-facing builds will be based solely on the reviewed code?

    I am all in for transparency, especially in scenarios where there are serious accusations and serious finantial/security/privacy implications. But transparency cannot be dust in the eyes (is this a right use for the idiom?).

  • The program detects arbitrary files and retrieves samples of them using signatures provided by a company in Russia.

  • oy shut it down (Score:3, Insightful)

    by Anonymous Coward on Monday October 23, 2017 @09:35AM (#55417365)

    Kaspersky is the one that identified the NSA and CIA tools right.....and Stuxnet
    cant have those pesky east europoors discloing their debauchery

    • Re: (Score:3, Insightful)

      Correct, Kaspersky is the only software of this type that we can even partially trust. All the raving on Capital Hill about Kaspersky is because it poses a severe threat to the US Government sponsored malware and spyware. All the US companies are properly heeled at their master's feet. Those foreign 'coyote' software companies must be hunted to extinction!!

  • The problem with this is that with any antivirus software you have to keep the virus database and AV engine up to date for it to be effective.

    So that means at any point in the future "backdoor.c" can be added and deployed automatically, and the users would be no wiser.

    Also does this actually prove that the compiled binary blob is without a backdoor????

  • by the_skywise ( 189793 ) on Monday October 23, 2017 @09:41AM (#55417403)
    From my understanding the software "worked as advertised" and pulled back Word DOC and other files for additional investigation. Allegedly those files ended up in the Russian governments hands via that pull back.
    So what's an analysis of the source code going to show? That Kapersky sends back Word DOC files? Well... DERP.
    The CEO of Kapersky has already defended his software's actions that pulled back code that looked like it was malicious and that they make no apologies for being aggressive in tracking cyber-crime.
    More importantly will this release of the source code include their data tables for the signatures and key phrases they detect?
  • Oblig (Score:5, Insightful)

    by Anonymous Coward on Monday October 23, 2017 @09:48AM (#55417447)

    Kaspersky is guilty of "writing code while being Russian".

  • Giving others the ability to read your source means nothing. The software may well do exactly what it advertises it does. But when it flags certain types of files, and that flag is sent back to Kaspersky Central, and that flag gets seen by a black hat, THAT is the breach of security. The black hats are looking for certain types of files out there, and Kaspersky is their front man, scanning all the systems it can, looking for possible Trojans etc and sending home all the data about who has what on which s
  • Comment removed based on user account deletion
    • So to me Kasperski is the safest as ONLY the Russians can read everything in the worst case. In the same worst case, with the rest, the Russians can read it, together with the Americans.

      What makes you assume the US and Russia aren't sharing this sort of data? The public posturing?

  • Pointless (Score:4, Insightful)

    by Dan East ( 318230 ) on Monday October 23, 2017 @09:57AM (#55417487) Journal

    I'm sounding like a broken record posting the same kinds of comments to these Kaspersky stories. The software itself isn't the issue. What does antivirus software do? Reads files, analyzes them for various content / fingerprints, transfers any files it deems "suspicious" files back to the company for "analysis" (default setting, unless disabled by the user), and modifies and deletes files. Same with the system registry. There will be no surprises here - we already know the software has total access to read and write to anything on the system and transfer our files to 3rd parties.

    The issue is the dynamic control of the software, not how the software was written. That is in the form of antivirus definitions, which are the fingerprints to identify malicious code, and the scripts used to clean (or simply delete) infected files, which are pushed to the software practically daily. THAT is the issue - who controls the behavior of the software. Let's go worst-case and assume Russia wanted to weaponize Kaspersky antivirus. All they have to do is force the company to identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware. Suddenly millions of Windows machines stop working. How does having access to the source code prevent that?

    What we need is antivirus definitions that are controlled by some neutral "open" body that we can actually put some trust in. Currently, I rely on Microsoft's antivirus software. Why? Well, they already hold the keys to my system. They can already screw me over with a bad OS update (and it is harder and harder to disable automatic updates with each new version of Windows). So at least them having the ability to also screw me over with a bad antivirus update doesn't represent an entirely new vector by yet another 3rd party.

    • Fair point on that 2nd paragraph, especially to non-AV-savvy like me. But I'd like to point out that the Windows Defender (3rd paragraph) point doesn't make much sense after the grain of salt - nobody that cares for security (mostly sysadmins/or the "IT crowd") will ever consider stalling the OS support lifecycle (i.e. disable updates), but they will push them to non-office or downtime periods (weekends?), already posing a naive defense in itself from Microsoft's control.

      Having standardized definitions is w

    • identify a few key pieces of Windows OS as malicious files, and delete those files as the way of quarantining the malware.

      So, working as intended?

  • Their CEO says so - it must therefore be true, right?
  • How about some security experts try to provide guidelines which would allow them to recommend to any government that they trust Kaspersky? This would be a major advance that would benefit all software vendors including competing antivirus vendors.

    The idea is it costs money but this is an investment in infrastructure security so governments or cash-rich computer companies like google. microsoft, apple could fund it perhaps.

    So far I have not heard of anything that has not got a potential workaround. Here is a

  • Their US business is dwindling and this is a direct response.
  • By reporting back telemetry in a method that it can be used by trained "external advisory" Russian agents, it doesn't matter how the software works, it matters what it does and what route it takes.

    The Cold War is back. Get used to it.

  • Doesn't matter how many reviewers sign off on this.

    The market is never going to accept KL isn't sending all data to Moscow.

    Even if they truly aren't.

    I feel bad for them.
  • On a technical level this is pure BS: Kaspersky (and any other AV for that matter) updates include application components like libraries and binaries, so this source code audit is only valid for one particular version of the application which will be outdated days if not hours after being submitted. So, unless Kaspersky submits the source code continuously, this proposal is pretty much meaningless.

  • Source code is not enough. You need the build tool chain as well. You need to verify the tools don't inject anything in the binaries, and that the binaries produced from the exposed source are exactly the same as binaries sold or distributed by them. And one step backwards if they use open source tools is to examine the tools and build them. You need to go back to known safe code. Paranoia you say? XcodeGhost [wikipedia.org] was created by hackers to infect apps on the apple app store. They convinced people to download it
  • Do they really think people are ignorant enough to fall for this? Okay, actually the U.S. government undoubtedly is, but not the rest of us. Unless these security researchers with access to the source code are going to be the ones compiling it and releasing binaries, this is nothing but a pointless exercise. If they released verifiable builds, where independent security researchers could release a unique signature of the binaries generated from code they had compiled themselves, then *maybe* this would b

  • Hitler gave Putin a high-five while they both kicked my dog!!!!!1!!

  • I bet they did a quick bikini wax before they lifted their skirt.

You are always doing something marginal when the boss drops by your desk.

Working...