'We've nothing to hide': Kaspersky Lab offers to open up source code Russian cybersecurity software flinger Kaspersky Lab has offered to open up its source code for third-party review. The firm's Global Transparency Initiative is in response to moves to ban the use of its technology on US government systems by the Department of Homeland Security over concerns of alleged ties with the Russian …
Can we compile Kaspersky AV binaries from that source code, and run that on our computers? Can we do the same with any and all updates to the software? If not, this "offer" is worthless.
Also, I rather doubt that Kaspersky's update process wouldn't have the ability to run any arbitrary code (either directly or by loading a freshly downloaded executable library in memory), at which point they're proven to have built a possible backdoor into their software.
"Also, I rather doubt that Kaspersky's update process wouldn't have the ability to run any arbitrary code (either directly or by loading a freshly downloaded executable library in memory), at which point they're proven to have built a possible backdoor into their software."
Surely that accusation could be levelled at all AV software from Avast to Norton (ewww) to Windows Defender?
Of course it can, but that doesn't change the point that the offer to show code is meaningless. I still think using Microsoft's AV is the best solution - they already control the OS code so if you can't trust them you're already screwed.
Does other AV software really work better enough that it is worth trusting another company with that type of extremely low level access? Despite all their bullshit about having "AI" capability to detect threats before they become known, in practice if the signature isn't in their database yet when the malware arrives it'll get you. Unless other companies are significantly faster in updating the signatures I don't see why you'd want to go with a third party for AV software.
At least Microsoft is less likely to detect a system file as malware and quarantine it, which occasionally happens with the others.
I still think using Microsoft's AV is the best solution - they already control the OS code so if you can't trust them you're already screwed.
But if your using Win10 (or 7 or 8 with the CEI and added telemetry updates) you've already granted permission to MS and it's selected third-parties to scan and potentially upload the contents of your HDD. So you've effectively agreed to the NSA to spy on you in exactly the same way the US are accusing Kaspersky and the Russian spooks.
Now we can look at the source code of Windows and MS's AV all we want, but as you've already noted it is a meaningless exercise, in part because the hooks necessary to allow eavesdropping by state agencies are already present as they are needed to support the legitimate function of the code.
Unless other companies are significantly faster in updating the signatures I don't see why you'd want to go with a third party for AV software.
Well it is obvious from all the shouting from the US why you should now use Kaspersky! MS AV won't detect the US government malware, whereas Kaspersky will! Which effectively gives us a practical demonstration of security in depth and not relying on a single vendor!
I thought this offer had been made available months ago but no one took them up on it?
Actually, back in July it is mentioned as a headline on a random site called mobilescout.com
The time line for this, as I remember it seems to of been;
Kaspersky accused by Trump White House (See he can't be with the Russians he disagrees with them!) of allowing Russia to hack into western/USA computers,
Kaspersky deny this and offer up the source code, which no one took them up on
Quiet for a month or so
Suddenly Israel find Russian spies ARE using Kaspersky to hack into western/USA computers
Coincidence?
Example of even a broken clock telling the right time twice a day?
Confirmation bias?
Not always true; you must first define in what manner the clock is broken. Assume a classical mechanical clock. If a component seizes during normal operation, that might be true, but if something physically breaks, it's possible that the hands will not display a valid time. As an example, if both hands point precisely downwards (which makes sense if the mechanism went limp), it makes 5:30 vs 6:30 ambiguous; it's also possible that one or more hands will fall off.
Both hands on an analog clock pointing precisely downwards is going to be reading a time of half-past six.
No, on an analogue clock, at 6:30 the minute hand will be pointing precisely straight-down covering the '6', the hour hand will point halfway between the '6' and '7'.
The only time both hands point precisely at the same numeral is 12:00.
I really don't see an Open Source AV codebase as a greater security risk than an Open Source OS codebase.
Even if you do think OS is worth nothing, that is better than a downright liability. If the perception is that Kaspersky has secret IP potentially accessible to its host nation's spooks, then making all its IP public domain removes that perception.
"Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions."
If these assertions are true, then the source code could be pretty innocuous and there would still be security risks.
And I suppose that US or UK agencies could pull similar strings in some cases with companies based in their respective nations. The difference is, of course, the concern caused by Russian theft of US secrets, versus US theft of US secrets. "But we do the same thing to other people" is not a valid reason for the US or UK to trust Kaspersky.
If indeed the FSB requires Kaspersky to allow them to monitor its data and comms.
The same applies to US and UK companies except with the extra bit about the law being secret.
The question you have to ask yourself is, who do you need protecting against - the USA/UK government or the FSB?
If you are anti-governmental organisation eg. Greenpeace, black-lives-matter, Boris's election campaign, etc then use the one owned by the FSB. If you are a Russian target eg. Boeing/Lockheed - use the one owned by the NSA. If you are BAe you are out of luck
The same applies to US and UK companies except with the extra bit about the law being secret.
Umm, no, a telco has the requirement for intercept very publicly stated in the license - without it, no license to print money operate.
This enabled the game the telcos have been playing with new usurpers of their revenue such as Skype et al: the accusation of "supporting criminals" was pretty much the first thing they came up with.
In a nutshell, if you're not a telco, getting you to support intercept/surveillance is a LOT more complicated in law. Not impossible, but harder.
Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.
Small annoying detail: Kaspersky is not a telco, nor has it ever been one.
Sadly for [those]* looking for a fall guy, this won't change their minds. However, for those of us that feel that Kaspersky may be receiving unfair blame or would like to renew their faith in their products, rather having to rely on other dodgy AV solutions, this is welcome.
* Insert your favorite corporation, government and/or TLA for all values of [those]
No so much incompetence, but they make mistakes - everyone does. So I would believe that they got lucky on a mistake.
On the other side, the NSA benefits from mistakes other people make. This is why having a thorough collection program is so important - you pick up on lots of mistakes and are thus able to collect lots of valuable information. Thus, these places require "plodders" rather than brilliant 'leet h4ckors...
There have been numerous widely reported cases of serious programming flaws in basically all of the major AV packages, not to mention the many borked updates that have shut down network connections or 'quarantined' legitimate system files. All of these programs present a large attack surface, running secret and proprietary code at a highly invasive and privileged level -- code that's probably easier to exploit than the OS, and/or that creates new OS holes by jacking into system processes that were not designed to be jacked into.
Given that, it doesn't really matter to me whether Kaspersky "gave" the Russian government a back door or if the spookskis figured it out on their own. I think it's prudent to assume that the various global TLAs have similar exploits that target all of the common AV packages. The difference with Kaspersky is just that we've heard about it.
As far as I understand, the client software was doing exactly what it advertised. Including sending back data from users to Kaspersky in order to allow them to improve the client software. That's not the problem. The problem arises about certain intelligence services spooking around on Kaspersky servers, and accessing the data for other nefarious purposes. The problem arises that there's suspicion that some of those intelligence services were there with Kaspersky's knowledge and cooperation.
Publishing the source code does not dispel these suspicions.
(And yes, Western intelligence services may be doing the same. If they were caught doing it, they would be in deeper doodoo than the FSB, since the latter was actually following Russian law. But Western services typically do it more elegantly and prepare for that eventuality better.)
Such a boring merry-go-round of twattery, headed by state actors/crims of near-do-well intent. I class them all the same, they just dick wave each other to see who can wave the biggest 'wand'. Fucking twats. Let honest people live their lives without constant threat, get a life FFS.
This, like other instances smells more about making Amercia great, by firstly discrediting non-US products in the home (US) market and allowing the media to spread the FUD around the world. Secondly, by getting the non-US business to open themselves up to inspection by US 'officials' - who we can expect (as this is what happened in the past) to pass information obtained on to US businesses who would normally have had to compete with the non-US companies. Thirdly, the US companies will, having divided the non-US companies (do you trust critical software from a country other than your own?) be able to reconquer the world...
Following this strategy it won't be long before the US regains its 'lead' and hold on the IT sector...
So, what about if they hide a bit of extra binary in all the hundreds of megabytes that sent control to something else? Opensource doesn't mean it is the same code as the binary you have, just that it should be. You need to open source the tool chain setup, so that the video can be shown to compile to the exact same binary (then look for tricky things and bus that result in control being able to be obtained). But in that case, what you could do is compromise the tool in order to do it without detection, and so on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
