back to article 'We've nothing to hide': Kaspersky Lab offers to open up source code

Russian cybersecurity software flinger Kaspersky Lab has offered to open up its source code for third-party review. The firm's Global Transparency Initiative is in response to moves to ban the use of its technology on US government systems by the Department of Homeland Security over concerns of alleged ties with the Russian …

  1. fluffybunnyuk

    and what about the spooks setting up a shell company as a front for getting access to the source code to look for exploits?

    Not a good move by Kaspersky, the signatures should remain known only to kaspersky or its too easy to rewrite that segment of code.

  2. FF22

    Worth nothing

    Can we compile Kaspersky AV binaries from that source code, and run that on our computers? Can we do the same with any and all updates to the software? If not, this "offer" is worthless.

    Also, I rather doubt that Kaspersky's update process wouldn't have the ability to run any arbitrary code (either directly or by loading a freshly downloaded executable library in memory), at which point they're proven to have built a possible backdoor into their software.

    1. iron Silver badge

      Re: Worth nothing

      "Also, I rather doubt that Kaspersky's update process wouldn't have the ability to run any arbitrary code (either directly or by loading a freshly downloaded executable library in memory), at which point they're proven to have built a possible backdoor into their software."

      Surely that accusation could be levelled at all AV software from Avast to Norton (ewww) to Windows Defender?

      1. DougS Silver badge

        Re: Worth nothing

        Of course it can, but that doesn't change the point that the offer to show code is meaningless. I still think using Microsoft's AV is the best solution - they already control the OS code so if you can't trust them you're already screwed.

        Does other AV software really work better enough that it is worth trusting another company with that type of extremely low level access? Despite all their bullshit about having "AI" capability to detect threats before they become known, in practice if the signature isn't in their database yet when the malware arrives it'll get you. Unless other companies are significantly faster in updating the signatures I don't see why you'd want to go with a third party for AV software.

        At least Microsoft is less likely to detect a system file as malware and quarantine it, which occasionally happens with the others.

        1. Roland6 Silver badge

          Re: Worth nothing

          I still think using Microsoft's AV is the best solution - they already control the OS code so if you can't trust them you're already screwed.

          But if your using Win10 (or 7 or 8 with the CEI and added telemetry updates) you've already granted permission to MS and it's selected third-parties to scan and potentially upload the contents of your HDD. So you've effectively agreed to the NSA to spy on you in exactly the same way the US are accusing Kaspersky and the Russian spooks.

          Now we can look at the source code of Windows and MS's AV all we want, but as you've already noted it is a meaningless exercise, in part because the hooks necessary to allow eavesdropping by state agencies are already present as they are needed to support the legitimate function of the code.

          Unless other companies are significantly faster in updating the signatures I don't see why you'd want to go with a third party for AV software.

          Well it is obvious from all the shouting from the US why you should now use Kaspersky! MS AV won't detect the US government malware, whereas Kaspersky will! Which effectively gives us a practical demonstration of security in depth and not relying on a single vendor!

        2. nkuk

          Re: Worth nothing

          You're trusting the company that couldn't secure their OS to secure their OS? MS AV is proven over and over again to be the worst in independent tests.

  3. Roger B

    I thought this offer had been made available months ago but no one took them up on it?

    Actually, back in July it is mentioned as a headline on a random site called mobilescout.com

    The time line for this, as I remember it seems to of been;

    Kaspersky accused by Trump White House (See he can't be with the Russians he disagrees with them!) of allowing Russia to hack into western/USA computers,

    Kaspersky deny this and offer up the source code, which no one took them up on

    Quiet for a month or so

    Suddenly Israel find Russian spies ARE using Kaspersky to hack into western/USA computers

    Coincidence?

    Example of even a broken clock telling the right time twice a day?

    Confirmation bias?

    1. Anonymous Coward
      Anonymous Coward

      Broken Clock

      Not always true; you must first define in what manner the clock is broken. Assume a classical mechanical clock. If a component seizes during normal operation, that might be true, but if something physically breaks, it's possible that the hands will not display a valid time. As an example, if both hands point precisely downwards (which makes sense if the mechanism went limp), it makes 5:30 vs 6:30 ambiguous; it's also possible that one or more hands will fall off.

      1. ShadowDragon8685

        Re: Broken Clock

        Um... Both hands on an analog clock pointing precisely downwards is going to be reading a time of half-past six.

        1. Roland6 Silver badge

          Re: Broken Clock

          Both hands on an analog clock pointing precisely downwards is going to be reading a time of half-past six.

          No, on an analogue clock, at 6:30 the minute hand will be pointing precisely straight-down covering the '6', the hour hand will point halfway between the '6' and '7'.

          The only time both hands point precisely at the same numeral is 12:00.

          1. Paul Crawford Silver badge

            Re: Broken Clock

            True, both hands will point at precisely the place multiple times, but only at 12:00 will that coincide with the numeral indicator.

          2. ShadowDragon8685

            Re: Broken Clock

            Gah! You're right. I don't know what the heck I was thinking. Apparently 4 days ago I had the dumb and could not brain.

    2. Yet Another Anonymous coward Silver badge

      Suddenly Israel find Russian spies ARE using Kaspersky to hack into western/USA computers

      IIRC Israeli spies hacked into Kaspersky and found that they (kaspersky) had detected USA malware.

  4. steelpillow Silver badge
    Thumb Up

    Better than bad

    I really don't see an Open Source AV codebase as a greater security risk than an Open Source OS codebase.

    Even if you do think OS is worth nothing, that is better than a downright liability. If the perception is that Kaspersky has secret IP potentially accessible to its host nation's spooks, then making all its IP public domain removes that perception.

  5. Palpy

    Assertions about comms and FSB

    "Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions."

    If these assertions are true, then the source code could be pretty innocuous and there would still be security risks.

    And I suppose that US or UK agencies could pull similar strings in some cases with companies based in their respective nations. The difference is, of course, the concern caused by Russian theft of US secrets, versus US theft of US secrets. "But we do the same thing to other people" is not a valid reason for the US or UK to trust Kaspersky.

    If indeed the FSB requires Kaspersky to allow them to monitor its data and comms.

    1. Yet Another Anonymous coward Silver badge

      Re: Assertions about comms and FSB

      The same applies to US and UK companies except with the extra bit about the law being secret.

      The question you have to ask yourself is, who do you need protecting against - the USA/UK government or the FSB?

      If you are anti-governmental organisation eg. Greenpeace, black-lives-matter, Boris's election campaign, etc then use the one owned by the FSB. If you are a Russian target eg. Boeing/Lockheed - use the one owned by the NSA. If you are BAe you are out of luck

      1. Anonymous Coward
        Anonymous Coward

        Re: Assertions about comms and FSB

        The same applies to US and UK companies except with the extra bit about the law being secret.

        Umm, no, a telco has the requirement for intercept very publicly stated in the license - without it, no license to print money operate.

        This enabled the game the telcos have been playing with new usurpers of their revenue such as Skype et al: the accusation of "supporting criminals" was pretty much the first thing they came up with.

        In a nutshell, if you're not a telco, getting you to support intercept/surveillance is a LOT more complicated in law. Not impossible, but harder.

    2. Anonymous Coward
      Anonymous Coward

      Re: Assertions about comms and FSB

      Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.

      Small annoying detail: Kaspersky is not a telco, nor has it ever been one.

  6. J J Carter Silver badge
    Trollface

    Pow!

    Get Linus Torvalds to skim through the code and offer his observations on the quality.

    1. Snorlax
      Windows

      Re: Pow!

      @J J Carter:"Get Linus Torvalds to skim through the code and offer his observations on the quality."

      That guy wouldn't recognise quality code if it kicked him in the balls.

  7. PC LOAD LETTER

    Sadly for [those]* looking for a fall guy, this won't change their minds. However, for those of us that feel that Kaspersky may be receiving unfair blame or would like to renew their faith in their products, rather having to rely on other dodgy AV solutions, this is welcome.

    * Insert your favorite corporation, government and/or TLA for all values of [those]

  8. Marty McFly
    Facepalm

    One word:

    "The initiative comes days after reports that Russian government hackers used Kaspersky antivirus software to siphon off classified material from a PC belonging to a NSA contractor."

    Can you say HONEYPOT?

    1. Yet Another Anonymous coward Silver badge

      Re: One word:

      Or NSA contractor copied NSA malware onto an unauthorised computer, said computer was running Kspersky AV which uploaded the malware signature. Depends if you believe in NSA contractor incompetence or elite Russian cyber whatsit

      1. Anonymous Coward
        Anonymous Coward

        Re: One word:

        No so much incompetence, but they make mistakes - everyone does. So I would believe that they got lucky on a mistake.

        On the other side, the NSA benefits from mistakes other people make. This is why having a thorough collection program is so important - you pick up on lots of mistakes and are thus able to collect lots of valuable information. Thus, these places require "plodders" rather than brilliant 'leet h4ckors...

  9. fidodogbreath Silver badge

    AV is a mixed bag

    There have been numerous widely reported cases of serious programming flaws in basically all of the major AV packages, not to mention the many borked updates that have shut down network connections or 'quarantined' legitimate system files. All of these programs present a large attack surface, running secret and proprietary code at a highly invasive and privileged level -- code that's probably easier to exploit than the OS, and/or that creates new OS holes by jacking into system processes that were not designed to be jacked into.

    Given that, it doesn't really matter to me whether Kaspersky "gave" the Russian government a back door or if the spookskis figured it out on their own. I think it's prudent to assume that the various global TLAs have similar exploits that target all of the common AV packages. The difference with Kaspersky is just that we've heard about it.

  10. elgarak1

    As far as I understand, the client software was doing exactly what it advertised. Including sending back data from users to Kaspersky in order to allow them to improve the client software. That's not the problem. The problem arises about certain intelligence services spooking around on Kaspersky servers, and accessing the data for other nefarious purposes. The problem arises that there's suspicion that some of those intelligence services were there with Kaspersky's knowledge and cooperation.

    Publishing the source code does not dispel these suspicions.

    (And yes, Western intelligence services may be doing the same. If they were caught doing it, they would be in deeper doodoo than the FSB, since the latter was actually following Russian law. But Western services typically do it more elegantly and prepare for that eventuality better.)

  11. Robert D Bank

    Annoying either way

    Such a boring merry-go-round of twattery, headed by state actors/crims of near-do-well intent. I class them all the same, they just dick wave each other to see who can wave the biggest 'wand'. Fucking twats. Let honest people live their lives without constant threat, get a life FFS.

  12. ExampleOne

    The Kaspersky row, like the Huawei row before it, smells a little of the US government "judging others by their own low standards". On this basis, can we assume the US based AV options are all compromised by the US intelligence agencies?

    1. John G Imrie Silver badge

      can we assume the US based AV options are all compromised by the US intelligence agencies

      You might think that, I couldn't possibly comment.

    2. Roland6 Silver badge

      "Make America great again"

      This, like other instances smells more about making Amercia great, by firstly discrediting non-US products in the home (US) market and allowing the media to spread the FUD around the world. Secondly, by getting the non-US business to open themselves up to inspection by US 'officials' - who we can expect (as this is what happened in the past) to pass information obtained on to US businesses who would normally have had to compete with the non-US companies. Thirdly, the US companies will, having divided the non-US companies (do you trust critical software from a country other than your own?) be able to reconquer the world...

      Following this strategy it won't be long before the US regains its 'lead' and hold on the IT sector...

  13. fluffybunnyuk

    *sniffs armpit* hmm thats wierd it didnt seem so bad before posting and getting almost entirely downvoted into hell. What was it about not giving vectors of attack to people who would exploit them that people here hated so much?

  14. Aodhhan Bronze badge

    A bunch of comments on the obvious.

    It's old news.

    The only people still giving this any time is those who have a belief one way (for themselves--and those who think like them), and then oppose the same belief two sentences later (for everyone else).

  15. Sssss

    So, what about if they hide a bit of extra binary in all the hundreds of megabytes that sent control to something else? Opensource doesn't mean it is the same code as the binary you have, just that it should be. You need to open source the tool chain setup, so that the video can be shown to compile to the exact same binary (then look for tricky things and bus that result in control being able to be obtained). But in that case, what you could do is compromise the tool in order to do it without detection, and so on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019