back to article Kaspersky repeats offer: America can see my source code

Eugene Kaspersky, founder of the eponymous antivirus firm, has reiterated his offer to give the US government access to his source code. The company is moving to try and head off budget legislation which, as we wrote last week, would shut Kaspersky out of American military contracts. The US Senate committee that's proposed …

  1. kain preacher

    I'm thinking this has nothing to do with kasperky having back doors, No I'm thinking kick backs and bribes

    1. Anonymous Coward
      Anonymous Coward

      I'm also thinking that Kaspersky better gets them to sign a rather massive non-compete. The way things seem to be working over there, it may be more about doing some silicon valley idiot a favour, or Microsoft. Especially Microsoft.

      1. Mephistro

        "Especially Microsoft."

        The timing is suspicious, indeed.

      2. h4rm0ny

        I doubt a non-compete would do it. When the USA sets its sights on someone they say it's because of non-cooperation by the other party but that's just a fig-leaf. Saddam offered full access to weapons inspectors before Iraq war. Gaddhafi repeatedly offered ceasefires and dialogue from the very start of the Libya bombing. Kaspersky can offer, but unless he has a concrete guarantee that showing the source code will result in a calling off of the targetting, I wouldn't do it.

        Remember, Kaspersky Labs are the ones that exposed the "Equation Group" (aka NSA) and also were our primary source for information about Stuxnet (Israel and USA in high probability). They have everything to lose here.

    2. Oh Homer
      Mushroom

      McCarthyism at its most hysterical

  2. Hstubbe

    And how would they verify that what kaspersky installs on their machines corresponds directly to the source code? How are they going to check that nothing has been modified, added or removed from the source code in between it being shown and it being compiled into a binary?

    I think it makes a lot of sense not too buy antivirus from a company that is from a country that has an active policy to destabilize your own country.

    1. Anonymous Coward
      Anonymous Coward

      "I think it makes a lot of sense not too buy antivirus from a company that is from a country that has an active policy to destabilize your own country."

      I think that would rule out most countries.

      1. Hstubbe

        Indeed, i don't trust usa based anti-virus either.

    2. Anonymous Coward
      Anonymous Coward

      I think it makes a lot of sense not too buy antivirus from a company that is from a country that has an active policy to destabilize your own country.

      Kaspersky <> Russian government. As a matter of fact, the two are occasionally at loggerheads exactly because it doesn't whitelist ANY spyware, be it Russian, US, German (etc) and has refused to do so for as long as it's been in existence.

      Besides, if you take your argument into its logical conclusion you should not buy Windows either, in which case you no longer need Kaspersky, solving two problems at once.

      1. alain williams Silver badge

        Re: America can see my source code

        Besides, if you take your argument into its logical conclusion you should not buy Windows either, in which case you no longer need Kaspersky, solving two problems at once.

        1) I don't buy (or use) MS Windows

        2) I don't need (or use) Kaspersky

    3. Anonymous Coward
      Anonymous Coward

      You mean USA?

    4. Anonymous Coward
      Anonymous Coward

      > I think it makes a lot of sense not too buy antivirus from a company that is from a country that has an active policy to destabilize your own country.

      Hear, hear! That's one reason why I do not run Microsoft products. :-)

    5. Eddy Ito
      Facepalm

      How are they going to check that nothing has been modified, added or removed from the source code in between it being shown and it being compiled into a binary?

      If only they could do something like compile the source code themselves and compare that to the binary. Boy, that's sure a sticky one isn't it.

    6. boatsman

      a country that has an active policy to destabilize ???? let us see about the USA.....

      - salvador allende: murdered, with the help of the CIA

      - mossadegh, democratically elected prime minister of persia : ousted

      - every head of state in europe : ( merkel, berlusconi, <-.....-> ) : spied on their conversations with anyone

      - nicaragua : dead squads and the works, supported by the usa

      - el salvador : same thing

      - guatemala : same thing

      - panama : noriega, known dictator, murderer and drug dealer. henchman of the CIA, until he got too greedy

      - argentinian generals in the seventies: cia backed, murdered thousands of people

      - greece military coup in the seventies: murdered thousands, backed by the CIA

      the list gets on , it is boring. but please DO FORGET about the USA being a benevolent state. it is not.

      - it murderes, conspires, bribes, eliminates, keeps people imprisoned without due process,

      - it TORTURES with presidential approval

      - it murders by proxy.

      thank you for your attention.

  3. Anonymous Coward
    Anonymous Coward

    Seeing the source wouldn't help

    Even if you could be 100% sure what is installed on PCs exactly matches the source. By necessity and design, AV software has some hooks pretty deep into the OS, and runs with full privileges. It also updates its behavior constantly and in a completely automated fashion, without the oversight of a sysadmin.

    It would be simple for an AV vendor - any AV vendor - to subvert every machine running its software in a matter of hours from the time the trigger was pulled on an "evil" update.

    Seeing the source code of AV software is like seeing the code of the Linux kernel - while allowing it to load arbitrary module binaries on its own.

    1. Craig 2

      Re: Seeing the source wouldn't help

      Precisely! So who is the intended audience for that announcement, since it's a completely empty gesture to anybody with a modicum of technical know-how.

      1. CrazyOldCatMan Silver badge

        Re: Seeing the source wouldn't help

        So who is the intended audience for that announcement

        Politicians. They *love* an empty gesture because it enables them to look like they are Doing Something without actually having to do anything..

    2. Jason Bloomberg Silver badge
      Black Helicopters

      Re: Seeing the source wouldn't help

      Offering to show the source code may mostly be an empty gesture, but at least it shows some goodwill, presents a 'we have nothing to hide' face. There aren't that many straws for Kaspersky to grab on to in the face of this apparent hunt for witches.

      It is impossible for Kaspersky to show they are not doing wrong, as it is for everyone. Though there is an absence of evidence that they are doing wrong I imagine that is tempered by American authorities knowing they do things which they would never admit to either; 'if we're guilty, then you probably are too'.

      There is probably little Kaspersky can do. They should get ready to become fully signed-up members of the 'designated bad guys' club.

      1. Craig 2

        Re: Seeing the source wouldn't help

        "Offering to show the source code may mostly be an empty gesture, but at least it shows some goodwill, "

        Sorry, but if empty gestures generate goodwill with you then more fool you.

        I agree it's impossible for Kasperksy to win here. If America has decided that Kaspersky is "bad" then it's probably for other political reasons rather than an actual belief in them subverting their own software.

        1. Anonymous Coward
          Anonymous Coward

          Re: Seeing the source wouldn't help

          If America has decided that Kaspersky is "bad" then it's probably for other political reasons rather than an actual belief in them subverting their own software.

          You left out the most likely possibility. That they don't think Kaspersky is bad TODAY, but is a threat to be bad, because it is Russian and the Russian government is able to exercise considerable control over Russian companies via multiple means. If they did so, like I said in my above post they could own all PCs running Kaspersky AV in a matter of hours. Or they could target it at only certain people (people involved in elections, or people at the Pentagon, or people in the oil industry, or whatever)

          Lest someone think the idea the Russian government would secretly subvert Kaspersky is silly, look at the Snowden revelations about the cooperation the CIA was secretly getting from most major US tech companies. It is unlikely all those companies would have decided to cooperate voluntarily, so there must be been some sort of arm twisting used. Does anyone really believe the US government is capable of exerting more control over US companies than the Russian government is capable of exerting over Russian companies? You'd have to be a big time Putin apologist to believe that line.

          Of course the US government should not trust Russian AV software, or Chinese AV software, versus US AV software. That should hardly be controversial, given the potential risk. The equation is different for others - you have to decide "who is more of a threat to me?" As an American citizen, the US government can make my life a lot worse than the Russian government or Chinese government - unless I travel to one of those countries, they have little reason to be interested in me or try to hack me. So I don't have much reason to worry about being targeted by the Russian government's hackers. Of course if I was running elections for my county, that might be a different story...

          1. a_yank_lurker

            Re: Seeing the source wouldn't help

            @DougS - "Of course if I was running elections for my county, that might be a different story..." - Georgia (state not country) reported the ferals (DHS I believe) were actively hacking the state's voter rolls, etc. this last Presidential election.

  4. Steve Davies 3 Silver badge

    An Education for the TLA's

    Id expect that seeingthe source code may well show some nifty tricks that the various TLA's don't know about which [cough-cough] put to good use in future NSA hacking tools.

    So, what's not to lose by inspecting the source code eh? It does not mean that Kaspersky gets any prefferential treatment when tendering or the likes of MS/Semantec etc would be filing suit in a flash.

    Don't ban Kaspersky by law, just don't choose them for sensitive contracts. Even the tweeter in chief should be happy at that sort of deal.

    1. patrickstar

      Re: An Education for the TLA's

      I'm sure that just about everyone for whom it would be relevant has read the Kaspersky source that leaked a number of years ago, and/or reverse engineered any parts that would be interesting.

      But really, there's not much to see in standard AV software. Basically, if you sit down and try to accomplish the same thing as they do, you'll realize there are only a few ways it can be done. At most there'll be some rootkit detection tricks and such, but they will almost by definition be useless since rootkit authors will have tested their stuff against the AVs and worked around it already.

      1. Anonymous Coward
        Anonymous Coward

        Re: An Education for the TLA's

        Basically, if you sit down and try to accomplish the same thing as they do, you'll realize there are only a few ways it can be done.

        Not necessarily - AV since mid-90-es (first NLCV, then F-prot who picked brains from there, then Kaspersky, then the rest) has been doing "fuzzy" emulation of x86 hardware as part of the detection. There are some extremely nifty tricks in both the instruction tracing and hardware emulation part of this code which differ from AV to AV and can be interesting to analyze for both toolkit design and evasion purposes. They also are something which can be nicely bartered later to "partners" which work on emulation, virtualization and other topics of mutual interest.

        So there is benefit in doing this. Just not for Evgeni - for him it is a lose lose so he might as well cut his losses now and tell the congress to gently bugger itself with a chainsaw.

        1. patrickstar

          Re: An Education for the TLA's

          Of course you are not going to arrive at the exact same implementation details. But it's not gonna be news to you (or anyone else writing AVs in the post-Dark Avenger Mutation Engine era, so early rather than mid-90's) that one is needed in the first place if you're gonna do a full-blown AV. From then you also have to decide on whether it will be a simple "big switch()" type emulator or some sort of binary translation.

          But the source code of the emulator of one specific AV is pretty uninteresting for evasion purposes, plus any source has a short shelf-life since this is among the things frequently fiddled with in auto-updates. If an AV company encounters a sample that screws up emulation and there are no other usable signatures, they are gonna push out an update to the emulator (or the rules governing it). And that's the end of whatever smart evasion trick you found by reading the source.

          Noone actually sits around evading one specific AV and nothing else. And there's a lot of sharing of samples/signatures (as well as outright pilfering from rivals, but that's another story entirely), so once you have one detection more are sure to follow.

          At most the situation can arise where one AV keeps detecting something after the rest have been successfully evaded, but the chances of that particular AV being KAV of the specific version you have source code of is pretty slim.

          Plus, the most important emulator trick is probably just spending enough cycles doing make-believe "work" so that the emulator gives up.

          This is also an issue you will face universally when developing an emulator without ever having seen an existing AV before (and you'll also realize early on that one of the most important things you need to do is quickly determine how much time to spend emulating a specific file).

    2. bombastic bob Silver badge
      Devil

      Re: An Education for the TLA's

      "Don't ban Kaspersky by law, just don't choose them for sensitive contracts. Even the tweeter in chief should be happy at that sort of deal."

      for military and national security use, there's a general tendency of "NIH" syndrome, too, if for no other reason than to NOT tie keeping your most important secrets to a company that is outside of your country.

      /me thinks of Avro and their supersonic aircraft back in the 60's. Only reason it didn't "fly" in the USA was that Avro is Canadian...

      (and yet, the USA bought Harriers for the USMC in the 80's/90's so there ya go - a lesson learned perhaps?)

      then again a better fix for the U.S. Military: stop running Windows

  5. Anonymous Coward
    Anonymous Coward

    Really?

    Someone in the US military authorised the use of Russian software?

    In another alternate universe north korea are using Windows 10 in their nuclear and icbm factories.

    1. patrickstar

      They most likely run a lot of Windows atleast, since that's what's used for pretty much all industrial control systems.

    2. Voland's right hand Silver badge

      Someone in the US military authorised the use of Russian...

      They have authorized use of Russian missile engines (ULA uses them to launch military hardware) and have authorized the licensing of Russian VTOL tech (F35B licenses Yak-141 designs). So there are precedents of cats sleeping with dogs.

      1. Anonymous Coward
        Anonymous Coward

        > They have authorized use of Russian missile engines (ULA uses them to launch military hardware) and have authorized the licensing of Russian VTOL tech (F35B licenses Yak-141 designs)

        Not to mention hitching a ride up to the ISS (and back).

    3. Anonymous Coward
      Anonymous Coward

      Someone in the US military authorised the use of Russian software?

      U.S. military already has no compunctions about using Russian titanium, Russian rocket engines, and even Russian tritium in its toys. Why not the software?

      1. Anonymous Coward
        Anonymous Coward

        I get the hardware side but software? It seems a bit silly really when you have no way of knowing what it's going to do, sure you can always do some packet sniffing but then you could get it to wait an amount of time before activating.

      2. Anonymous Coward
        Anonymous Coward

        U.S. military already has no compunctions about using Russian titanium, Russian rocket engines, and even Russian tritium in its toys.

        .. and German rocket scientists ..

        1. Ramazan

          Re: and German rocket scientists

          Nazi scientists to be precise. The same's true for USSR, they also employed all the talented nazis they could get their hands on. World hadn't stop spinning, and all the exterminated jews made an extra spin in their graves for that.

    4. Winkypop Silver badge
      Trollface

      Da

      The US military's commander-in-chief is a Russian import as well.

      So...

  6. Mark 85

    I still believe what I said before, but I'll add this: use Kaspersky in any part of government EXCEPT the US military.

    https://forums.theregister.co.uk/forum/1/2017/06/30/us_senators_want_kaspersky_shut_out_of_military_contracts/#c_3222395

    1. Notas Badoff

      Ave Senatus Populusque Russia!

      Strange that I wonder if the stated aim of the US senators and the hidden aim of (cough) other governments just might align in some way. The goals might be diametrically opposed, but perhaps one group is aiding the other group without realizing it?

      (I used to think I was cynical but the world just keeps on making me feel naive.)

  7. Alistair
    Windows

    Russian AV bad bad bad

    The russian governement could compromise the company with an update. <is essentially what is being posited>.

    Umm. lesseee.... (checkbox labelled 'update automatically') --- noooo, not that one

    (checkbox labelled 'notify me when updates available') ---- that looks better

    and I'm rather sure that the military types could do, oooh this thing called DNS redirection. -- y'know, like, perhaps have the updates TESTED first.

    Long and short of the issue -- *anyone*, given sufficient resources, and effort, could compromise *any* software out there that is set to automatically update. ...Oh hello Microsoft.

    Globalization meets global politics. Dear ${DEITY} the dick waving.

    1. Anonymous Coward
      Anonymous Coward

      Re: Russian AV bad bad bad

      Just ask Ukrainian's government, M.EDoc, and host of othefs how well automated updates work out. For the Red Team. Now, as to my Senatorial variety of Congresscritters, and almost certainly Sen. DiFi, I'm surely cussed enough to buy a site license for Kaspersky. Even if it's not for my use. Perfect timing actually, the AVG one I had for my fellow housemates just expired.

  8. Tikimon
    Facepalm

    First, destroy the honest ones

    Destroy the honest ones who won't play along with invasive government spooks. Then there will only be left "compliant" companies like Microsoft and Google and Verizon - the ones that roll over and give the government front-door access straight from the source.

    This isn't about Kaspersky being Russian. This is a move to discredit and remove a large and painful thorn in the side of US surveillance. The anti-Rooskie spin is just cover.

    1. Anonymous Coward
      Anonymous Coward

      Re: First, destroy the honest ones

      Breaking out my power-conflict lens and looking at this situation that way, very plausible. Kaspersky had been front and center reporting on nation-state hacking. Remember Stuxnet? Yeah, that nation-state.

    2. Mahhn

      Re: First, destroy the honest ones

      You hit the nail on the head

  9. trisul

    Offering to show the source is actually a sign of a scam. The source need not be identical to the actual build, and antivirus software updates daily, which means that it could be a clean platform with the abilitz to go cyberwarfare on demand.

    This makes sense as Putin is already waging war on us, and Kaspersky could be one of their intended "cyber carriers". Kaspersky is too close to Putin, too compromised to be acceptable. You need a vendor that is visibly above reproach, someone who would have no interest in working with the Putin war machine. Kaspersky is not such a company.

    I believe they should be purged from all government agencies in the West, as well a important civilian infrastructure. They are just too risky.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon