Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:
Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.
"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.
"Anything I can do to prove that we don't behave maliciously I will do it."
Also at Neowin.
In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government
Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.
On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.
The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."
Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.
Source: Gizmodo
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @09:06AM (7 children)
Which department of the US government is going to audit the code? They better be fluent in Russian because I doubt Kaspersky wrote their variable names & comments in English.
And how will they know that they got is the same/complete source code used in the available Kaspersky product line? Different versions of libraries, etc will make it hard for the US to compile/produce an exact duplicate of the products shipped by Kaspersky. I'm not saying it can't be done - just that the US government aren't exactly competent when it comes to technology.
(Score: 4, Interesting) by zocalo on Tuesday July 04 2017, @09:41AM (3 children)
As you note though, that still leaves the question of whether the US has anyone competent enough to do it in a way that ensures the process can't be backdoored in the event that Kaspersky does end up under the thumb of the Russian government at some point. Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth strategy that doesn't mean that any specific link the the security chain failing is a major problem, but if you can do that then the need for the audit of Kaspersky's code is mostly moot anyway.
UNIX? They're not even circumcised! Savages!
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @02:07PM
Of course Hua;wei is willing to provide code, and even let you compile it yourself. The backdoors are built into the hardware, the code doesn't matter.
(Score: 2) by frojack on Tuesday July 04 2017, @06:18PM (1 child)
Since the signatures are updated in near real time, providing them at all is pointless.
The engine, however would be very worthwhile to audit, so that you could see what telemetry it is sending back, how, (or if) that is encrypted, and the keys used for encryption, etc.
After all, a "security" product doesn't have to be perfect (especially in a constantly changing world) it just has to NOT be a BEACHHEAD.
Obtaining the signatures structure specifications, so that you could create your own signature addendums would be useful too.
The problem I see is the US Government's inability to prevent leaks means that ALL of this information ends up in the blackhat hands in short order. Who's to say the US Government aren't the worst blackhats in the world?
No, you are mistaken. I've always had this sig.
(Score: 2) by zocalo on Tuesday July 04 2017, @07:01PM
UNIX? They're not even circumcised! Savages!
(Score: 3, Informative) by Runaway1956 on Tuesday July 04 2017, @10:24AM
The Department of the Navy has boatloads of cryptography techs who are fluent in Russian, if no other department has them. I can't say how many CT's are also programmers, or competent to audit code, but some of them are.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @12:54PM
If you want to be sure, you have to understand the actual code anyway. Variable names and comments could be misleading (accidentally or intentionally). Only the information that ends up in the compiled and executed code is really relevant.
(Score: 4, Informative) by fraxinus-tree on Tuesday July 04 2017, @02:33PM
My native language (Bulgarian) also uses Cyrillic alphabet (well, it is Russian that is an old pirated version of it) and I can assure you that most program code I have seen has pretty much English identifiers and (if any) English comments. It is just a major hassle to switch both your keyboard and your brain to something THAT MUCH different.