69 comments

[ 3.8 ms ] story [ 138 ms ] thread
As always, any implication that all closed-source software, regardless of company, suffers from similar issues, is conveniently absent. Just as it was during the VW emissions scandal - it's the cheating that was problematic, not that consumers are effectively in the dark about how most of their products operate, and deliberately prevented (successfully or not) from finding out (personally, or done on their behalf by others).
Do you think because the implications of open-source software would threaten the economic model & world that the writer lives in?

Or that it's just an oversight and they just want to earn clicks? I think it's the latter, even if it's in effect the former (unintentioally).

I don't think this writer omitted it intentionally. I think it's because journalists that are too at-odds with corporate (or other dominant narrative) just have a harder time in their career. No-one gets censored, except in rare cases - they just don't have their contract extended. See https://cartoonistsrights.org/u-s-cartoonist-fired-after-cri... , but I imagine it's usually handled more subtly.
"In a Facebook post following his firing, Friday wrote that the incident showed “how fragile our rights to free speech and free press really are in the country.”"

Indeed.

I think the Bloomberg reporting goes beyond that. They claim lots of networking hardware comes pre-installed with Kaspersky software that the end-user may not even be aware of.

I can't find specific products so I don't know whether this is just Dell-preinstalled crapware that can be wiped with an OS reinstall or some sort of embedded device where the end user has no interface to disable/uninstall it.

Seeing how horrible and intrusive their endpoint AV is, I can't imagine them "sneaking" any of their products into anything.
Even worse, in some countries disassembling proprietary software to analyse its behaviour can be prohibited (at least they write this in EULA).

And modern OS have no protection against backdoors: desktop OS allow apps to do whatever they want, mobile OS like Android have privileges separation but don't allow user to control Internet traffic: you cannot run iptables or ban an app from accessing the network.

(comment deleted)
The article seems a bit hyperbolic to me. Expecting a major Russian cybersecurity company not to have any business with its own government is a bit naive. Not all government business is spying and unlawful activities.

From what Bloomberg is sharing with us (I couldn't find those emails), Kaspersky is developing a software solution with defensive and offensive capabilities as well as providing consultancy services to the FSB in hunting down criminals (Bloomberg says Kaspersky is "banging down doors").

Right. Why would anybody be surprised by this knowing full well that American companies do the same?
Because the Russians are the bad guys. /s
I didn't believe this as a child in the '80s, but in the last 10 years at least, Putin's Russia has been freaking horrifying to me. So yeah, they aren't the world's only bad guys, and they're probably not the worst, but it's not for lack of trying. Putin's vision of Russia doesn't even try to avoid looking comically sinister. I honestly don't see how anyone who isn't wrapped up in self-interested religious or ethnic nationalism could see it any other way.
The problem with that viewpoint is to treat Russia as a monolithic entity. Despite military aggression and political and speech repression by the ruling junta, there is still a vibrant and mostly functional economy.

Kaspersky providing services to the FSB (which is kind of like NIST, FTC, FCC, FBI, and DHS all in one) is little different to Cisco or IBM providing consulting services for the respective U.S. agencies.

Political conflict has always been this way, it's just more apparent now that trade information is widely accessible.

To compare, Japanese companies traded with the U.S. up until the 1941 invasion, despite significant political conflict between the two countries over Manchuria and the colonies in Southeast Asia.

I don't think it's entirely unfair. We know that the Russian government sponsors cyber attacks. They're not the only ones, we know the USA and China and North Korea and Israel and probably every other country does too. It all has to be taken into account.

If I buy Cisco gear, what's the likelihood that it has an NSA tap in it? [1] If I buy Check Point gear, what's the likelihood that it has a Mossad tap in it? [2] If I buy Kaspersky software, what's the likelihood that it has an FSB tap in it? Who would I rather be spied on by?

Does it change the risk rating if we know we're under active attack by a particular country? As someone who works for a major tech company, I can tell you Snowden's information about the NSA cut deeply into the trust we had built up with our foreign customers.

It is entirely fair to judge a Russian security company based on the actions of their government related to cyber attacks. Especially considering the not-entirely-democratic government of Russia does not allow private sector companies to be entirely private sector.

[1] https://www.engadget.com/2016/08/21/nsa-technique-for-cisco-...

[2] http://greatcircle.com/firewalls/mhonarc/firewalls.199707/ms...

Your point is undermined by your links. The first describes a remote network exploit, which is not developed by coöperation or coercion. Exploits take advantage of a software vulnerability to insert additional capabilities (espionage). I think you wanted to find a link describing the process of interdiction, which was implied to exist in the Snowden documents.

The second link is just a public denial by Check Point. I'm not sure why you're implying these companies coöperate with their governments. A discovered back door would destroy Kaspersky, Huawei, Cisco, Check Point, etc.; nobody would renew their contracts with that massive loss of trust.

I do think you raise an excellent point. The actual reality that these companies aren't providing back doors is not relevant when the perception is that they are. The greatest risk is not coöperation, but of remote exploitation of the software. It turns out that there are a few major countries known for conducting network exploitation campaigns, unrelated to the country of origin of the target software. Just as the Stuxnet guys were almost certainly not German, yet they had a vulnerability in Siemens software, and the NotPetya authors didn't exert physical influence over ME.Doc in Ukraine, attackers have little to do with where the software was built.

As long as a government acts "scary", however, it makes companies feel less secure in the software, which affects sales. I'm not singling out software and hardware procurement officers; the "feels = reals" phenomenon is a human condition.

The links aren't meant to prove there is some kind of government-planted backdoor, but rather to show the same kind of evidence Kaspersky is being charged with: rumors and whispers. And it's completely fair to judge based on that because every company is judged based on that.
The link talking about a remote exploit has nothing to do with back doors. Claiming it does belies a lack of expertise (which is fine) or an intent to deceive.
> A discovered back door would destroy Kaspersky, Huawei, Cisco, Check Point, etc.; nobody would renew their contracts with that massive loss of trust.

Given that a backdoor could look like an undiscovered exploit I fail to see how the one would result in the other, besides that where will you turn? To one of the other parties... Consider this the present situation and almost nobody has moved away from their vendors. Except maybe Juniper (not in your list) I don't see any of these brands as damaged (yet).

I don't think any credible vulnerability researcher would conclude any of those companies' software vulnerabilities were back doors. If you know of one, please let me know.

All of these companies write software in languages that require the programmer to track memory management and bound their own copies. The probability that software written in languages like that will generate a memory corruption vulnerability is extremely high.

Has Juniper actually been damaged by the backdoored source code scandal (which is the only genuinely back doored American company I can think of)?

This report claims a 5% YoY net revenue increase, along with higher GAAP profit. http://investor.juniper.net/investor-relations/press-release...

Weaponized hacking complicates things. You don't know to which extent Kaspersky cooperates with the FSB or even whether there isn't someone from the FSB working covertly for them, implementing backdoors.
Maybe there are some Mossad agents, French Intelligence, Chinese, NSA, etc. also working for Kaspersky. It is a multinational team.
Good and Evil are 100% relative to your position. No one ever thinks they are they bad guy.
It's not that simple by a long shot. Minus any information or critical thinking, no one ever thinks of themselves as the bad guy. I'm an American and I can tell you no end of past and present instances in our history in which we were the bad guys in a particular situation. I don't defend America if I think the US government is taking a morally, ethically, or intellectually wrong position, or if the US government does something really shitty. I vote against politicians who support such things and am not at all shy about criticizing America when it's appropriate. I hold Russians to the same standard as I hold myself and my fellow Americans, and expect them to be just as critical towards their own government when it's appropriate.

When people deflect criticism of their country by saying some other country is just as bad, they're totally missing the point. Saying that everyone does shitty things still doesn't make it OK for anyone to do shitty things. The German government was literally run by Nazis for over a decade and caused tens of millions of deaths, apparently for no reason other than idealism and narcissism. But that doesn't mean that I treat the German government of today as if they were secret Nazis all along, and that sure as hell doesn't mean it's OK for other countries to do what Germany did during WW2.

If all you've got is whataboutism, you are literally trying to defend indefensible behavior by pointing out instances of other countries engaging in indefensible behavior. This makes zero sense. I don't get it. It doesn't matter how many countries do horrible things, it doesn't make any of those horrible things OK. You are you, you are not your country. Think for yourself. OTOH, if you really think all those indefensible things that Russia (and America, at times) have done are OK, and you just want everyone to shut up about it so everyone can maintain the status quo, I honestly don't know what to say. I have zero common ground with such a person, they may as well come from another universe that I would give anything to not live in.

Hindsight is always 20/20, definitely. In the present, in the act of behaving, taking action or pursing cause no one believes they are a bad guy. To my original point about the behavior of Russia (my response to the other poster, I just realized you were the other poster ...), Im sure they believe they are acting in their best interest for their own good. So to be shocked by Russia's behavior from their standpoint is useless, just as to evaluate the US's behavior over the past 10 years. No one seems themselves as a bad guy in the present.
>When people deflect criticism of their country by saying some other country is just as bad, they're totally missing the point. Saying that everyone does shitty things still doesn't make it OK for anyone to do shitty things.

No, but if one's country does 10x the shitty things, they don't get to single out the other country as "evil".

>If all you've got is whataboutism, you are literally trying to defend indefensible behavior by pointing out instances of other countries engaging in indefensible behavior.

And if you don't see things in perspective and weight them, then you single out some "indefensible behavior", and ignore other because its by the side one happens to belong too.

Countries, like humans, aren't perfect. But we don't get to pick and chose what's indefensible pointing to single person for what many do. Especially if we always conveniently point to the other person.

Well sure. That's my whole point. If the US engages in what I consider immoral or otherwise indefensible behavior, the fact that I am an American has no bearing on how harshly I judge that behavior. I hold Russians to the same standards as I hold myself, therefore I expect them to denounce the actions of their government when appropriate.

I don't give two shits whether or not some other country (including my own) has engaged in the same shitty behavior that some other country that I'm currently worried about is currently engaged in. Shitty behavior is shitty behavior no matter who's doing it, and I have zero tolerance for it.

If Russia has mysterious patterns of Putin's political opponents getting imprisoned or murdered on a regular basis, the fact that some American politicians may have done something similarly shitty at some point had absolutely zero affect on me. Yeah, it's just as shitty when America does it. What's your fucking point? I'm speaking out as a human being, not as an American calling out Russia. Accusations of hypocrisy mean nothing to me, or anyone in this debate (I would hope at least). I don't complain about Russia because I think America is better, I complain about Russia because Putin is one of the most colossal fucking assholes in the entire fucking world right now.

That's the thing though. If indeed "shitty behavior is shitty behavior no matter who's doing it, and [you] have zero tolerance for it" then he is not "one of the most colossal fucking assholes in the entire fucking world right now" but just an average, run of the mill, arsehole.

Saying "shitty behavior is shitty, doesn't matter who is doing it" is meaningful if indeed those proclaiming don't in practice restrict their criticism to a single party. If people critique many times as much with much worse language X compared to their critique of Y (especially if Y does worse to begin with), then it shows the opposite: that some shitty behavior is more excused than others.

Especially if the result of one kind of critique is just some tame protesting in the media and/or the streets ("Stop Bush's war", "Obama didn't do what he promised", "Trump is this and that", etc.), whereas the other criticism is aligned with and brings with it a whole military machine, sanctions against the country, diplomatic pressure, etc.

I guess that's the root of our disagreement then. I don't see him as a run-of-the-mill asshole. I see him as one of the most dangerous people in the entire world. I could point to some other national leaders who on the surface seem way worse than Putin, but those people aren't smart enough or powerful enough to have the kind of impact on the world that he does.

I think Putin is way more intelligent, capable, and ambitious than Duterte for example, and Duterte certainly fits into the "psychopathic authoritarian monster" stereotype far more obviously than Putin does. But Putin in the long term can do far more damage to the world at large. Duterte is a cartoon, and as awful as he is, I don't think he has ambitions beyond his own borders. Putin most definitely has such ambitions, and the ability to achieve them. And of course, in a selfish sense I'm extra worried about him because he's clearly hostile to my country, and the values and ideals that I hold, as well as the values and ideals that my country holds (at least on paper, even if it doesn't always do a great job of representing them).

(comment deleted)
>I didn't believe this as a child in the '80s, but in the last 10 years at least, Putin's Russia has been freaking horrifying to me.

In what way, and what's "comically sinister"? Russia mostly deals with stuff in their borders. The "worst" they did was intervene in a neighbor-hooding part of Ukraine, with 60% citizenry of Russian ethnicity, who even had a referendum for preferring to unite with Russia, and that only after the legitimate government of that country was toppled by a ragtag coalition that included bona-fide neo-nazis. Hardly the stuff of "world domination"...

The US in the last 20 years has occupied 2 sovereign countries, bombed several others, and turned most of them from stable regimes into hell holes of civil war and militant islamist. Plus has been pushing NATO all the way into Russia's borders (and all the global surveillance stuff, drone killings, Guantanamo, etc). And to pre-empt any knee jerk reactions, that's not "whataboutism" (sic), that's perspective.

In their internal policies, they are what they always were: liberal in some aspects, conservative in others (e.g. religion, homosexuality, etc). But making them into bad guys for that stuff is rich when half of one's own country agree with those two, or up until last 1-2 decades most states had laws against "sodomy", or there's still things like the death penalty or the worlds lead (with huge difference from the second) in incarcerations.

I love the US (country and people) and haven't even ever been to Russia (though I like their literature, spirit and oddball society), but as an outside observer, can't stand the hypocrisy.

Again, I judge people in my own country (and my own country's government) just as harshly when they advocate or implement policies that I consider immoral, unethical, or just plain stupid. I also don't freak out when people from other countries criticize my country for those things. In fact, I welcome their support.

I just don't understand the mentality of getting way more upset about other people's perceived hypocrisy, than getting upset over people doing actual terrible things. Hypocrisy is a bad thing, but it's a drop in the bucket compared to people doing actual bad things. Hypocrisy, even when it's true, is a really pointless thing to get worked up about.

In my experience, the only times people bust out hypocrisy as an argument against someone else's accusations, it's for one of two reasons:

(1) To show that the accuser doesn't really think the thing the accused did is wrong. I imagine there may be a few cases where this might be meaningful (like when political candidates debate each other), but it has no bearing on the accusation itself. If Charles Manson accused John Wayne Gacy of being a serial killer, the obvious hypocrisy wouldn't make me question Gacy's guilt, and it certainly wouldn't lead me to the conclusion that because hypocrisy is involved, it must be OK to be a serial killer.

(2) Other times people bring up hypocrisy because they're just trying to deflect the accusation. This is whataboutism in a nutshell. In this case, the person upset about hypocrisy is actually OK with whatever the accusation is, and they just want to change the subject by putting the person they're accusing of hypocrisy on the defensive. It's a rhetorical trick but all it does is confuse the issue and attempt to normalize indefensible actions.

Again: it's hard for me to even articulate how irrelevant it is that America might be guilty of similar things at various points in its history that I am upset at Putin about. If Putin started calling out human rights abuses in the US that were in fact real, I really really really really really don't care that he might be hypocritical by accusing my country of such things. If his hypothetical accusations were correct, I'd be every bit as concerned about them then if the accusations came from a less hypocritical source.

"Breaking news! The sky is blue in Russia too!"
Here's the actual quote from Kaspersky's email about his firm's projects with the FSB:

> The project includes both technology to protect against attacks (filters) as well as interaction with the hosters (‘spreading’ of sacrifice) and active countermeasures (about which, we keep quiet) and so on

Does anybody know what "interaction with the hosters" means?

Presumably it refers to building relationships with various hosting companies around the world so Kaspersky can get datacenters to seize servers for them without court orders.

This is relatively common practice for many DCs, if you're a "bad" client they'll privately hand your stuff to AV companies for analysis.

I also guess this includes practical advice like "FFS never turn abusive customers servers off, they could be encrypted"

Whatever next? Have American AV companies been "Working with American Intelligence"? That would be just as shocking... ;)
I suspect the penalties for not playing ball are more severe in Russia
In soviet Russia, severe ball plays you!
In Putins Russia, westerners use antiquated soviet metaphors in to maintain a false sense of superiority and unipolar status quo

disclaimer: I like soviet russia jokes

To be serous Putin's and old school Chekist
And the rootless capitalist kulak falls out of the window accidently :-(
Thanks to the wonders of the free market, you can choose which global intelligence service you want your software to be compromised to!

(I'm not even sure if this is a joke)

Or you can put off such decisions, and be compromised by all!
What's (also not?) shocking is that huge swath of America and the rest of the world doesn't know this and just thinks... those nice people at XXX installed that wonderful virus checker for free on my new PC.

Remember the crap you remove from your uncle's computer over Christmas... and that he's was a full bird colonel with links to all of his old buddies on FB who think spear fishing involves flippers.

We know that Google and Apple are working with the American Intelligence and they could be considered AV companies when you look at some of their mobile OSes features...
We know that Google and Apple are working with the American Intelligence

Citation needed.

They implemented NSA's PRISM program... that must have taken some work initially, if not continually.

https://www.theguardian.com/world/2013/jun/06/us-tech-giants...

That document doesn't make an overwhelming case for Google or Apple "working with" intelligence agencies. But I haven't read the original Powerpoint, so maybe I'm simply ignorant of the facts.

As opposed to the likes of AT&T and Verizon. Which we know were actively cooperating with the NSA.

More likely is that perhaps individual Apple or Google employees were suborned, or the NSA took advantage of weaknesses. E.g. IIRC Google wasn't encrypting traffic between its data centers, Apple had a "goto fail" bug, etc. Why bother forcing companies to cooperate if you can instead take what you want without asking?

Let me ask you this: Do you think that Eric Schmidt or Sergey Brin or Larry Page or Steve Jobs or Tim Cook said something like "OK, lets give the NSA what they want."

I don't think so. More likely, if Google and Apple knew at all, they simply acquiesced to what they thought were legal court orders.

Yes, they try to make their users store the data in the "cloud". Maybe they do it in hope to get profit but maybe NSA wants to keep the data from people around the world on servers in US.

Google should allow users to use their own "cloud".

No shit. This isn't really news, as a few others point out that companies generally tend to work with their respective country's government. You won't see Kaspersky AV on a US government workstation and you won't see McAfee on any of their workstations for example.
The real news here, the part that makes the US government care, is "As many as 200 million [people] may not know [they use Kaspersky]."

Businessweek buried the lede (potentially-compromised firmware in devices you don't realize carry it) behind the blatantly-obvious (AV companies are not government-independent). Well, that and Kaspersky may have been lying about what connections they do have, but frankly that's not surprising either.

Thank goodness we don't have to worry about the big tech companies working with intelligence services in the USA.
Before we entered The Darkest Timeline, NSA used to be known for helping American companies with their encryption and cybersecurity, and preventing corporate espionage.

I'm one of the first when it comes to criticizing overreach of governments and intelligence agencies, but I do recognize that they do a lot of legitimate and positive work.

They still do extensive work on mitigating and responding to corporate and nation-state espionage. Aurora is probably the most public taste of the work behind closed doors.
Preventing corporate espionage : priceless!

"The paper said the agency "lifted all the faxes and phone-calls between Airbus, the Saudi national airline and the Saudi Government" to gain this information."

Agency : NSA.

http://news.bbc.co.uk/2/hi/europe/820758.stm

Well, prevent espionage from other countries on US firms of course. And there is always the discrepancy between stated goals and reality.
It's hardly odd for a computer security company to seek government contracts. The released emails don't seem point to anything nefarious (unless merely working with the FSB is considered nefarious). The remainder is a lot of "could" and "would be possible" speculation. Conspiracy mongering clickbait. Moving on.
He who smelt it dealt it?

Crowdstrike, FireEye ,Cobaltstrike,symantec,etc... are they CIA fronts as well?

As an american, why would I trust the CIA/NSA over the SVR/GRU? I wish I didn't have to ask that. but the fact is, and I'm sure some will agree - It is the CIA/NSA machine that can make my life here in America hell, not the SVR/GRU.

I can understand the concern when it comes to critical infrastructure and government software. However in the private sector and for individuals - "A tyrant 3000 miles away" is less of a threat than "3000 tyrants a mile a way".

> As an american, why would I trust the CIA/NSA over the SVR/GRU?

Because one is tasked - in theory - with protecting you, the other is tasked solely with protecting Russians (at your expense as necessary). It's that simple. And if you're going to claim the NSA never does anything to keep Americans safe, it would degrade your credibility toward zero.

If you subtract the stuff that you don't want them to do from the stuff that you want them to do, are you still in the positive?
They do plenty to protect what they consider is worthy of protection. which often leaves me out. Protection in their sense includes depriving me of basic rights and freedoms (so long as I'm "Safe").

It's not their official duties that I find dubious but their historical and ongoing ignorance of them. If they simply did their job I wouldn't even need to ask that question.

I'd probably ask the same of SVR/GRU if I lived in Russia.

If the NSA/CIA were doing their job, they wouldn't spy on their own people and they certainly wouldn't make secret deals with security companies and inflitrate their ranks to have a strategic advantage. Letting security companies independently do their job would be "protecting America" backdoors, hoarding exploits, influencing weak crypto,etc... I'm sorry but the russians don't even have the ability to do some of that even if they have the will.

GRU or NSA for both "ends justify means" , if you're on the "ends" side, pick software backdoored by your home country. if you're on the "means" side, pick the other guy.

I suppose it's time to consider what "collateral damage" in the sense of geopolitical computer security is.

True. Sadly.

Alas, while Russian (and Chinese) general disinterest in f'ing with you does help, their equally developed general disinterest in your well-being means they might have incentive to sell or trade with entities more... interested.

For private individuals that move makes sense. For nation states (with the exception of NK because they're so broke) - a financial incentive isn't enough.

Petya with M.E.DOC is a good example, Russians burned quite a significant attack infrastructure there. They could have sold that access to "someone" but the price (under $1mil in my opinion) isn't worth the sort of chaos it caused in ukraine (majority of companies in ukraine used that software I believe). My point is, if they did backdoor kasperskyOS, it wouldn't be used for a financial end, maybe to "show off" their capability, a retaliation to your government screwing with them,etc... but certainly not a financial end.

Frankly, I'd be happy if governments stay out of securiing civilians when it comes to computers and the internet. Tired of being a meaningless pawn to be discarded whenever convenient to do so.

Of course they have. They are a business based in Moscow. I would be surprised if they hadn't. They are just too attractive a target for the Kremlin not to try to co-opt. No idea how any US corporate security team could justify working with them, quite honestly.
Do you also have no idea how any non-US security team can justify working with Microsoft?
Unlike US-based security companies?
Yes, US-based security companies don't work with FSB.