Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday July 04 2017, @08:19AM   Printer-friendly
from the here-nsa-take-my-source-code dept.
Kaspersky Willing to Hand Source Code Over to U.S. Government

Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:

Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.

"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.

"Anything I can do to prove that we don't behave maliciously I will do it."

Also at Neowin.

In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government

Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.

On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.

The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."

Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.

Source: Gizmodo


Original Submission #1Original Submission #2

Related Stories

U.S. Lawmakers Urge AT&T to Cut Ties With Huawei 17 comments

Exclusive: U.S. lawmakers urge AT&T to cut commercial ties with Huawei - sources

U.S. lawmakers are urging AT&T Inc, the No. 2 wireless carrier, to cut commercial ties to Chinese phone maker Huawei Technologies Co Ltd and oppose plans by telecom operator China Mobile Ltd to enter the U.S. market because of national security concerns, two congressional aides said.

[...] Earlier this month, AT&T was forced to scrap a plan to offer its customers Huawei handsets after some members of Congress lobbied against the idea with federal regulators, sources told Reuters.

The U.S. government has also blocked a string of Chinese acquisitions over national security concerns, including Ant Financial's proposed purchase of U.S. money transfer company MoneyGram International Inc.

The lawmakers are also advising U.S. firms that if they have ties to Huawei or China Mobile, it could hamper their ability to do business with the U.S. government, one aide said, requesting anonymity because they were not authorized to speak publicly.

Related: NSA Spied on Chinese Government and Huawei
Kaspersky Willing to Hand Source Code Over to U.S. Government
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products


Original Submission

Kaspersky Lab Exposed U.S. Military "Slingshot" Malware 18 comments

US officials: Kaspersky "Slingshot" report burned anti-terror operation

A malware campaign discovered by researchers for Kaspersky Lab this month was in fact a US military operation, according to a report by CyberScoop's Chris Bing and Patrick Howell O'Neill. Unnamed US intelligence officials told CyberScoop that Kaspersky's report had exposed a long-running Joint Special Operations Command (JSOC) operation targeting the Islamic State and Al Qaeda.

The malware used in the campaign, according to the officials, was used to target computers in Internet cafés where it was believed individuals associated with the Islamic State and Al Qaeda would communicate with their organizations' leadership. Kaspersky's report showed Slingshot had targeted computers in countries where ISIS, Al Qaeda, and other radical Islamic terrorist groups have a presence or recruit: Afghanistan, Yemen, Iraq, Jordan, Turkey, Libya, Sudan, Somalia, Kenya, Tanzania, and the Democratic Republic of Congo.

The publication of the report, the officials contended, likely caused JSOC to abandon the operation and may have put the lives of soldiers fighting ISIS and Al Qaeda in danger. One former intelligence official told CyberScoop that it was standard operating procedure "to kill it all with fire once you get caught... It happens sometimes and we're accustomed to dealing with it. But it still sucks. I can tell you this didn't help anyone."

This is good malware. You can't expose the good malware!

Related: Kaspersky Claims to have Found NSA's Advanced Malware Trojan
Ties Alleged Between Kaspersky Lab and Russian Intelligence Agencies
Kaspersky Willing to Hand Source Code Over to U.S. Government
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products
Kaspersky Lab and Lax Contractor Blamed for Russian Acquisition of NSA Tools


Original Submission

Kaspersky Lab has been Working With Russian Intelligence 20 comments

According to emails from October 2009 obtained by Jordan Robertson and Michael Riley at Bloomberg it appears that Kaspersky Lab has been working with Russian Intelligence. Despite long standing rumours over these connections Eugene Kaspersky has always denied this to be the case, including as recently as last week in response to questions in the US Senate by Florida Republican Marco Rubio when he stated that "Claims about Kaspersky Lab's ties to the Kremlin are "unfounded conspiracy theories" and "total BS,"" on Reddit, and even offering to hand over the source code to the US Government for inspection.

While the exact nature of the co-operation with the FSB is still unclear, in the emails Kaspersky outlines a project undertaken in secret a year earlier "per a big request on the Lubyanka side," a reference to the FSB offices, that "includes both technology to protect against attacks (filters) as well as interaction with the hosters ('spreading' of sacrifice) and active countermeasures (about which, we keep quiet) and so on," Kaspersky wrote in one of the emails. Kaspersky Lab has confirmed that the emails are authentic. Whether this was legitimate work with the FSB in the prevention of cybercrime or securing FSB facilities or something more nefarious, it seems likely that this is not going to alleviate concerns over the use of their software putting further pressure on Kaspersky's business in other countries.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by Anonymous Coward on Tuesday July 04 2017, @08:45AM (6 children)

    by Anonymous Coward on Tuesday July 04 2017, @08:45AM (#534734)

    In reading about our red scares in text books it always feels like some distant world. How could an entire country become so unjustly paranoid and throw out all notions of innocent until proven guilty?

    It feels as though we're now going down what must have already happened in the past. Notions of innocent until proven guilty are gradually being replaced with swinging wild allegations and just hoping something will stick. And invariably something will stick if only because of the 6 degrees of separation effect. And that coincidence is in turned used to justify the allegations and support even more extreme allegations and investigations. We're now reaching the point that parties, who I will presume are innocent as they most certainly have not been proven guilty, are now having to volunteer to lay themselves bare in front of congress just to try reclaim the presumption of innocence that's been tossed aside for no apparent reason other than paranoia and politics.

    It's kind of terrifying how gradual and 'normal' this all feels. Red scares, literal witch hunts, the inquisition, and so on. I wonder... did they all feel similarly natural? At this point I'd be more willing to have The Forbin Project making decisions than humans. We're too incapable of sticking to our ethical guidelines when going against them feels so right and so natural.

    • (Score: 5, Insightful) by lx on Tuesday July 04 2017, @09:12AM (1 child)

      by lx (1915) on Tuesday July 04 2017, @09:12AM (#534737)

      If you haven't noticed, the scare has been underway for a long time now. It is sad to see all Russians lumped in with the criminals around Putin.
      On the other hand, looking in from outside I often find it difficult to distinguish between Americans and the shit your government pulls. [reuters.com] (Random recent example. The efforts under Dronemaster Barry were pretty bad as well)

      • (Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @04:41PM

        by Anonymous Coward on Tuesday July 04 2017, @04:41PM (#534830)

        There is 48+ percent of Americans who AREN'T any different from the policy America is pushing those years.

        The only real difference is which ~48 percent it is.

        It wasn't until this past election that I realized how true it was/had become in America. But the country has basically devolved into two giant sports teams screaming epithets at each other while trying to undo the other's policies, with no actual attention paid to what is best for America domestically and/or what is best for America internationally, both in providing continued bilateral international trade, as well as sufficient political capital to stay on cool to friendly terms with most of the international community.

        War may be good for the arms business, but it is lousy for sustained and interconnected economic growth between otherwise culturally opposed countries.

    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @09:32AM

      by Anonymous Coward on Tuesday July 04 2017, @09:32AM (#534743)

      the media does not mean the whole country for fuck sake. the MSM just has a hardon for ratings, nothing more. the fact that this baseless nonsense is being talked about constantly without a single shred of fucking evidence outside of he-said-she-said should tell you all you need to know.

    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:27PM (1 child)

      by Anonymous Coward on Tuesday July 04 2017, @06:27PM (#534866)

      The real problem is that this is proprietary software and no one should trust it anyway. If they can't even be bothered to give their users freedom, then they are worthless and abusive.

      • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:27PM

        by Anonymous Coward on Wednesday July 05 2017, @04:27PM (#535252)

        yeah, the dumb whores in washington should be requiring source from all companies that want to sell software to tax payers. singling out kaspersky, under false pretenses, is disgustingly stupid. i've seen many indications in the past that, for slaveware peddlers, they at least try to do what they say they do (attempting to protect slaveOS).

    • (Score: 2) by Reziac on Wednesday July 05 2017, @03:22AM

      by Reziac (2489) on Wednesday July 05 2017, @03:22AM (#535042) Homepage
  • (Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @09:06AM (7 children)

    by Anonymous Coward on Tuesday July 04 2017, @09:06AM (#534736)

    Which department of the US government is going to audit the code? They better be fluent in Russian because I doubt Kaspersky wrote their variable names & comments in English.

    And how will they know that they got is the same/complete source code used in the available Kaspersky product line? Different versions of libraries, etc will make it hard for the US to compile/produce an exact duplicate of the products shipped by Kaspersky. I'm not saying it can't be done - just that the US government aren't exactly competent when it comes to technology.

    • (Score: 4, Interesting) by zocalo on Tuesday July 04 2017, @09:41AM (3 children)

      by zocalo (302) on Tuesday July 04 2017, @09:41AM (#534746)
      Depends how far Kaspersky is willing to go in order to try and secure a US Government contract. I was involved in some early discussions with Huawei back when they were first starting to get involved in selling to the West and there was all that talk about how the Chinese might have backdoored the products; a very valid concern for us since the proposed deployment would have been on a major national infrastructure project. Besides making a similar offer to Kaspesky - turning over all their code and so on to GCHQ for inspection in our case - they were also apparently quite willing to help setup the necessary build infrastructure for us to roll our own firmware from their code, and didn't rule out a suggestion of some customisation like dropping functionality we wouldn't need to reduce the attack surface and so on. In our case we didn't really need to pursue that to the point of getting a contract thrashed out - just make it clear that the offer was on the table and roughly how it would work - but it should be entirely possible for the US to do something similar with Kaspersky if both parties are amienable to it.

      As you note though, that still leaves the question of whether the US has anyone competent enough to do it in a way that ensures the process can't be backdoored in the event that Kaspersky does end up under the thumb of the Russian government at some point. Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth strategy that doesn't mean that any specific link the the security chain failing is a major problem, but if you can do that then the need for the audit of Kaspersky's code is mostly moot anyway.
      --
      UNIX? They're not even circumcised! Savages!
      • (Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @02:07PM

        by Anonymous Coward on Tuesday July 04 2017, @02:07PM (#534794)

        Of course Hua;wei is willing to provide code, and even let you compile it yourself. The backdoors are built into the hardware, the code doesn't matter.

      • (Score: 2) by frojack on Tuesday July 04 2017, @06:18PM (1 child)

        by frojack (1554) Subscriber Badge on Tuesday July 04 2017, @06:18PM (#534863) Journal

        Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth

        Since the signatures are updated in near real time, providing them at all is pointless.

        The engine, however would be very worthwhile to audit, so that you could see what telemetry it is sending back, how, (or if) that is encrypted, and the keys used for encryption, etc.

        After all, a "security" product doesn't have to be perfect (especially in a constantly changing world) it just has to NOT be a BEACHHEAD.

        Obtaining the signatures structure specifications, so that you could create your own signature addendums would be useful too.

        The problem I see is the US Government's inability to prevent leaks means that ALL of this information ends up in the blackhat hands in short order. Who's to say the US Government aren't the worst blackhats in the world?

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 2) by zocalo on Tuesday July 04 2017, @07:01PM

          by zocalo (302) on Tuesday July 04 2017, @07:01PM (#534890)
          Yeah, that's kind of my point. Valuable as a code audit of an AV package might be to check for backdoors, flaws, telemetry, etc., it's not really going to do anything to assure you that the software won't turn a blind eye to any government malware they've been forced to ignore. Even if you were to try and audit the signatures - Sisyphean task that it is - it would be rather tricky to determine not only that it omitted a signature for a 0day but that the omission was deliberate when no one else is aware of it yet either. That's where the defence in depth comes in; even clueful home users are not just are relying on an AV package anymore; as a minimum they'll usually also have a firewall, and maybe a script blocker plus some other tools running as well, so if one link does fail the others can hopefully pick up the slack, or at least minimise the damage. Any corporation or government agency that isn't doing alll that and more already probably isn't going to benefit from a code audit anyway - if anything, it'll just give them a false sense of security.
          --
          UNIX? They're not even circumcised! Savages!
    • (Score: 3, Informative) by Runaway1956 on Tuesday July 04 2017, @10:24AM

      by Runaway1956 (2926) Subscriber Badge on Tuesday July 04 2017, @10:24AM (#534750) Journal

      The Department of the Navy has boatloads of cryptography techs who are fluent in Russian, if no other department has them. I can't say how many CT's are also programmers, or competent to audit code, but some of them are.

      --
      Keep all chemicals out of the reach of meth heads.
    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @12:54PM

      by Anonymous Coward on Tuesday July 04 2017, @12:54PM (#534781)

      Which department of the US government is going to audit the code? They better be fluent in Russian because I doubt Kaspersky wrote their variable names & comments in English.

      If you want to be sure, you have to understand the actual code anyway. Variable names and comments could be misleading (accidentally or intentionally). Only the information that ends up in the compiled and executed code is really relevant.

    • (Score: 4, Informative) by fraxinus-tree on Tuesday July 04 2017, @02:33PM

      by fraxinus-tree (5590) on Tuesday July 04 2017, @02:33PM (#534800)

      My native language (Bulgarian) also uses Cyrillic alphabet (well, it is Russian that is an old pirated version of it) and I can assure you that most program code I have seen has pretty much English identifiers and (if any) English comments. It is just a major hassle to switch both your keyboard and your brain to something THAT MUCH different.

  • (Score: 2) by zocalo on Tuesday July 04 2017, @09:17AM (17 children)

    by zocalo (302) on Tuesday July 04 2017, @09:17AM (#534738)
    I really don't see what is "worrisome" about this, at least not for Kaspersky. It's hardly novel for a close source software or hardware company to turn over their code for inspection by government agencies or their designated external auditors; even the likes of Microsoft have done it when it came down to either that or losing out on suitably large potential markets for their products. Huawei was extremely vocal about their offer to do the same in an attempt to assuage Western governments that their hardware was safe when they were first trying to get established in the West - supposedly even to the point of providing the source to compile the firmware for some major contracts (which does nothing for anything that might be baked into the chips, of course).

    Factor in that this is likely to only happen under controlled conditions with all code requests logged and backed up with NDAs and other legal agreements to discourage anyone from thinking that they could leak some (or all) of the code and get away with it, and there's really quite minimal risk for Kaspersky here. The potential pay off though is huge; how many PCs and other devices (Kaspersky supports mobile devices too) that could potentially be running a licensed copy of Kaspersky AV does the US Government have, all told? Tens of millions seems quite likely, and that's going to add up to quite a large chunk of on-going revenue when you factor in their annual update subscription pricing model, and Kasperspky also gets a unique selling point out of the deal: The US will have auditted their code (on their dime too!) and would have a very good idea how the quality of the code, possibly even advising Kaspersky of any potential coding flaws they might have identified - how many of the Western based competitors would be in a position to claim that?
    --
    UNIX? They're not even circumcised! Savages!
    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @09:36AM (8 children)

      by Anonymous Coward on Tuesday July 04 2017, @09:36AM (#534744)

      It's very simple. The government should not be banning software without effectively irrefutable evidence of malfeasance. In this case it's clear such evidence does not exist. There's no security through obscurity here. If the government had solid evidence then source access would be more than sufficient to confirm or deny their suspicions. We are, terrifyingly naturally, turning into a country where people and companies who fall out of favor with 'the powers that be' are guilty until proven innocent. Pair this with the fact that we are now also increasingly more willing to shoot first and ask questions later, even preemptively, is making this a very dangerous path to go down.

      • (Score: 2) by takyon on Tuesday July 04 2017, @12:42PM

        by takyon (881) Subscriber Badge <{takyon} {at} {soylentnews.org}> on Tuesday July 04 2017, @12:42PM (#534777) Journal

        The government should not be banning software without effectively irrefutable evidence of malfeasance.

        Are they banning you from running Kaspersky or are they banning it on their own computers?

        --
        [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 2) by Wootery on Tuesday July 04 2017, @12:49PM (1 child)

        by Wootery (2341) on Tuesday July 04 2017, @12:49PM (#534779)

        The government should not be banning software without effectively irrefutable evidence of malfeasance.

        Disagree. We're not talking about a criminal trial here.

        If you want to join the military, they have a list of things that can immediately disqualify you. That's not because they mean you're definitely going to screw things up, it's more of a precaution. Is that totally unreasonable? No. It's just being practical.

        • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:03PM

          by Anonymous Coward on Tuesday July 04 2017, @06:03PM (#534859)

          Those qualifications are specifically related to your performance. I think the analog would be more along the lines here is if the military started refusing admittance from anybody who was more than 1/8th Russian - even if they're a second generation American. I think it's perfectly reasonable to ban or restrict on just about anything that has a real and viable issue, but in this case it seems the only reason for banning Kaspersky was because it's developed by a Russian company.

      • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @01:01PM (2 children)

        by Anonymous Coward on Tuesday July 04 2017, @01:01PM (#534783)

        It's very simple. The government should not be banning software without effectively irrefutable evidence of malfeasance.

        So you say the government should not be free to decide what they run on their own computers?

        • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @05:57PM (1 child)

          by Anonymous Coward on Tuesday July 04 2017, @05:57PM (#534856)

          They absolutely should. That is rather the point.

          Banning software specifically prevents organizations from making their own decisions. To make matters even worse, these top-down level decisions are almost invariably based more on xenophobia and politics than valid concern. Hence the reason we have no Chinese astronauts on the ISS for example.

          • (Score: 2) by frojack on Tuesday July 04 2017, @06:36PM

            by frojack (1554) Subscriber Badge on Tuesday July 04 2017, @06:36PM (#534871) Journal

            You're the only one tossing around this banning word.

            You, your school, your city planning department, the church, the dry-cleaners, can pretty much use any Kaspersky software they want. Its freely available. Its not Banned.

            The General Services Admin does the purchasing for the US Government. Even top secret purchases go through the GSA (special branch). If they have orders not to buy Kaspersky then that's the way it is. Organizations within the US Government should definitely NOT be "making their own decisions" any more than they should be rolling their own encryption algorithms.

            --
            No, you are mistaken. I've always had this sig.
      • (Score: 1, Insightful) by Anonymous Coward on Tuesday July 04 2017, @06:31PM (1 child)

        by Anonymous Coward on Tuesday July 04 2017, @06:31PM (#534867)

        It should be illegal for the government to use any proprietary software, since the government should encourage freedom, independence, and education; proprietary software laughs in the face of all of those things. Additionally, our government should not be dependent on large corporations to do their computing and should be able to hire anyone they want to develop a piece of software.

        • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:34PM

          by Anonymous Coward on Wednesday July 05 2017, @04:34PM (#535255)

          but it's patriotic to use american (yes, The America, motherfuckers!) slaveware to deny american children the technical knowledge necessary to free themselves from the tax funded plantation!

    • (Score: 2) by inertnet on Tuesday July 04 2017, @10:07AM (5 children)

      by inertnet (4071) on Tuesday July 04 2017, @10:07AM (#534748)

      So for instance, it would also be a good thing if the European Union demanded the same from American companies?

      • (Score: 1, Informative) by Anonymous Coward on Tuesday July 04 2017, @10:35AM

        by Anonymous Coward on Tuesday July 04 2017, @10:35AM (#534756)

        So for instance, it would also be a good thing if the European Union demanded the same from American companies?

        Err, it happens?

        https://arstechnica.com/uncategorized/2006/01/6048-2/ [arstechnica.com]
        http://www.pcworld.com/article/2931212/microsoft-lets-eu-governments-inspect-source-code-for-security-issues.html [pcworld.com]

      • (Score: 2) by zocalo on Tuesday July 04 2017, @10:53AM

        by zocalo (302) on Tuesday July 04 2017, @10:53AM (#534759)
        Sure, and as the AC noted, it happens already. For better or worse systems are getting increasingly connected, so the previous approach of "it's air gapped so security doesn't matter quite so much" (which in practice often meant "at all") is becoming less and less relevant. If you are not assuming that the systems you are deploying might have a backdoor - whether deliberately or through incompetence/bugs - and taking any steps you can to mitigate against that then you're doing it wrong. If you're big enough and really have not choice but a closed source solution, then requesting to see the source under NDA, and maybe even compile your own binaries from it in some cases, should absolutely be part of that mitigation, regardless of where you and your supplier are based - and yes, that includes US-US, EU-EU, etc.
        --
        UNIX? They're not even circumcised! Savages!
      • (Score: 2) by mcgrew on Tuesday July 04 2017, @05:26PM (1 child)

        by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday July 04 2017, @05:26PM (#534845) Homepage Journal

        Actually, I think it's foolish for any government to use ANY foreign hardware or code. If I were the EU I'd certainly not use American software and Chinese computers.

        --
        Free Martian whores! [mcgrewbooks.com]
      • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @01:14AM

        by Anonymous Coward on Wednesday July 05 2017, @01:14AM (#535001)

        It would be good for the EU.

        It would be bad for American companies and their nation. American companies should resist. The US government should apply pressure to the companies to help them resist, and should apply pressure to the EU to discourage the EU from demanding source code.

        Maybe one government caves in exchange for something completely unrelated. Protection of geographic identifiers for example could be adopted by the US or dropped by the EU. Maybe one side buys aircraft from the other. Maybe the EU accepts freedom of speech or the US shuts it down.

    • (Score: 4, Informative) by Spamalope on Tuesday July 04 2017, @01:32PM (1 child)

      by Spamalope (5233) on Tuesday July 04 2017, @01:32PM (#534790) Homepage

      Worrisome?
      3 letter agencies use the source code to craft malware it won't detect and to better search for ways to exploit it?
      They're going to try at least.

      • (Score: 2) by fraxinus-tree on Wednesday July 05 2017, @09:34AM

        by fraxinus-tree (5590) on Wednesday July 05 2017, @09:34AM (#535119)

        3-letter and 4-letter agencies of major world powers (at least down to and including Russia) have the source code of almost anything of interest anyway. There is an established culture of "trading" these things between them even outside usual allies.

  • (Score: 3, Insightful) by The Mighty Buzzard on Tuesday July 04 2017, @10:29AM (5 children)

    Not that I use their products but that's the end of any potential relationship with me. I'd much rather have the Russians hacking my shat than my own government. The Russians don't give two fucks about me and are in no position to do anything about anything they find.

    --
    "Buzzy, you're probably the dumbest person I've ever encountered. Well, there is aristarchus, so make it 2nd dumbest."
    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @11:16AM (3 children)

      by Anonymous Coward on Tuesday July 04 2017, @11:16AM (#534763)

      and are in no position to do anything about anything they find.

      Emptying out your bank account. Using your machine for a DDOS attack, trojan C&C relay, or whatever. Sending trojaned emails to all your acquaitances.
      To me, it seems anyone in control of your system is in a position to do plenty to you.

      • (Score: 2) by The Mighty Buzzard on Tuesday July 04 2017, @12:03PM (2 children)

        Russian state actors ain't gonna do them type o things. They might at most use the box to launch an attack on infrastructure. Which is the concern of the infrastructure admins not mine.

        --
        "Buzzy, you're probably the dumbest person I've ever encountered. Well, there is aristarchus, so make it 2nd dumbest."
        • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @03:37PM (1 child)

          by Anonymous Coward on Tuesday July 04 2017, @03:37PM (#534813)

          Until that infrastructure is the one that runs your banking or the one that runs logistics that delivers food to your city. Are you an anti-vaxer or something because that's kinda the thinking they use.

          • (Score: 2) by The Mighty Buzzard on Tuesday July 04 2017, @06:11PM

            Irrelevant. There's nothing gained by launching a hack from my box as opposed to the gerzillions of other devices they have rooted already. I have nothing Russia cares about.

            Now US politicians, they desperately want my 4th Amendment rights. Both sides of the aisle do, though the right are pushing for them slightly harder.

            --
            "Buzzy, you're probably the dumbest person I've ever encountered. Well, there is aristarchus, so make it 2nd dumbest."
    • (Score: 2) by frojack on Tuesday July 04 2017, @06:50PM

      by frojack (1554) Subscriber Badge on Tuesday July 04 2017, @06:50PM (#534880) Journal

      I'd much rather have the Russians hacking my shat than my own government.

      This.
      This is why I use Yandex. I'm sure its not more private or secure than Google (from whence they stole most of their code) but a US warrant doesn't reach there, and a Russian one doesn't reach here.

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @11:03AM

    by Anonymous Coward on Tuesday July 04 2017, @11:03AM (#534760)

    Great Mother America announced today that Kaspersky Lab has partnered with the department of state security to bring security to all citizens, the software is now mandatory for the security of the state, also pick up that can

  • (Score: 2) by jmorris on Tuesday July 04 2017, @12:26PM (6 children)

    by jmorris (4844) <{jmorris} {at} {beau.org}> on Tuesday July 04 2017, @12:26PM (#534774)

    Closed source software only came about as an accident of compilers and a severe monoculture in processor arches.

    In a sane world copyright would only cover binaries as derived works, source would be the thing protected. Every customer would get a copy and we would all be super Gentoo "Ricers" compiling a local copy of the binary (when needed) during the installation process. You could look at it, make local changes, etc. but you could no more pass around the source to Quicken than you can pass around the current binary only copies. But most important, what it does would be knowable and keeping software running as the underlying hardware and OS changes over time would be possible beyond the short time the original author cares enough to expend the effort.

    Remember, copyrights and patents are permitted to promote advancement in Science and the Useful Arts. Keeping it secret defeats that purpose.

    • (Score: 2) by jcross on Tuesday July 04 2017, @01:11PM (3 children)

      by jcross (4009) on Tuesday July 04 2017, @01:11PM (#534786)

      I don't know, another advantage of binaries is that they help keep "trade secrets". Of course they can be decompiled, but at least there's some barrier to discovery of your private algorithms. That would also have been a bigger deal back in the day when programs were smaller and did clever things to conserve resources, and a single algorithm might have value. Nowadays programs are so bloated with glue code that can't be usefully extracted from the original project that I think what you're proposing could work. The only issue is distributing a build environment, or having one that's standardized enough, and also that the binary might be a good deal smaller and saves the workload of compiling a huge product. Something tells me Quicken would take some time to build from scratch.

      • (Score: 2) by jmorris on Tuesday July 04 2017, @05:23PM (2 children)

        by jmorris (4844) <{jmorris} {at} {beau.org}> on Tuesday July 04 2017, @05:23PM (#534844)

        I'm sure they love protecting their secrets. But where is the public interest in that? Remember "Intellectual Property" is a lie, RMS is dead right on that one. We grant Copyright and Patents, for limited times, as a cold transaction to improve progress in Science and the Useful Arts. If they get the protection of the government monopoly grant AND keep it secret it is a loss for everyone else.

        Plus forced publication has other benefits. The horrid state of IT security long since became a national security problem. Publication would force commercial vendors to at least bring their standards up to the levels of the Open Source community. Imagine if routine product reviews also included commentary on the quality (or lack thereof) of the source. Would YOU buy an accounting or ERP system if the reviews said things like "horrid mess of barely legible VB" or "we could find multiple security exploits in a half hour of poking around in this fetid bog of .net splicing together a half dozen different other platforms, frameworks and languages that was obviously congealed over a decade of neglect by multiple corporate overlords as it was passed from one charnel house to another, accreting bits of other defunct products, poorly stuffed together by contract code monkeys in every time zone who knew they wouldn't have to deal with the mess in a year." Much more useful than only looking at the final user interface.

        • (Score: 2) by jcross on Tuesday July 04 2017, @05:46PM (1 child)

          by jcross (4009) on Tuesday July 04 2017, @05:46PM (#534853)

          I couldn't agree with you more about closed-source running counter to the public benefit, and thankfully the market does seem to be transitioning away from it. Of course the new kid on the block would be SaaS, which just doubles down on the secrecy. I'd love to be in a position to diss on that with a clear conscience, but unfortunately it pays my bills at the moment.

          • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:45PM

            by Anonymous Coward on Wednesday July 05 2017, @04:45PM (#535261)

            don't be a hooker.

    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:34PM

      by Anonymous Coward on Tuesday July 04 2017, @06:34PM (#534870)

      In a sane world, all software would be Free Software. What you describe is still non-free proprietary user-subjugating software because it doesn't respect the users' four freedoms, and so it remains intolerable.

    • (Score: 2) by frojack on Tuesday July 04 2017, @06:57PM

      by frojack (1554) Subscriber Badge on Tuesday July 04 2017, @06:57PM (#534887) Journal

      You could look at it, make local changes, etc.

      The net result would be the same as we currently have. 99.44% of computers would be running standardized versions from the original providers or companies specializing in knock-offs.

      Look most people can't follow a recipe to make a chocolate cake, or fix a plumbing leak. You want to turn them all to coders?
      And nobody in their right mind would pass around the source code of Quicken. Its utter garbage.

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @02:17PM (2 children)

    by Anonymous Coward on Tuesday July 04 2017, @02:17PM (#534795)
    • (Score: 2) by Unixnut on Tuesday July 04 2017, @04:07PM (1 child)

      by Unixnut (5779) on Tuesday July 04 2017, @04:07PM (#534817)

      > Russian's have been doing it too.

      Everyone does it. Or rather, everyone would do it if they could. If you are offered up a juicy state/corporate contract, but they want to do an audit of your code, you can walk away, or play ball.

      Your code (IP) is worth something to you. What it is worth is how much money you can get for it (or the service it provides).

      For simplicities sake lets say that apart from this fat contract for $$$$, you have not got much else on. This is your companies big break. If you refuse the audit, and lose out on a contract, your code is essentially worthless, so what was the point of protecting it so strongly?

      However if you allow the audit, open up, and get the contract, the code is now worth a lot more, because it has earned you $$$$. Sure, it is less protected now, so there is the risk others may find out your secret sauce, but had you not opened it up, the secret sauce would never have been worth much in the first place.

      This way, you got $$$$ for the code, now others can see it, and possibly pinch ideas. However the code earned you money, feel free to enjoy the money,, or plow the money back into making the code even better, kick starting the cycle again.

      Some times it makes sense to allow people to look at your code (especially as you can bind them under NDAs) if it will further your goals (which in this case, is to make money). As Techies we sometimes put far more emphasis of the code's worth as code, rather than as its ability to make money, which is what others primarily judge it upon.

      • (Score: 2) by frojack on Tuesday July 04 2017, @07:15PM

        by frojack (1554) Subscriber Badge on Tuesday July 04 2017, @07:15PM (#534894) Journal

        What you say makes sense for Joe and Bob, Programmers from the Garage.

        But if you already have a reasonable market for a product, that contract will have to be REALLY REALLY big to make it worth the while.

        Selling 200 extra copies to East Bangladesh is NOT that attractive. Neither are 2 AM Tech support calls.

        In my day job, a decade ago, we refused source code turn over to Lebanon, and we provided source code to California (and regretted it when we found the source code in Google), and accepted Code Escrow agreements with 3 different State Governments and one Canadian Province. (We already had that set up, it was easy to add another name).

        In addition, our company always had a fear of "Growing to Death", gaining more customers than we could support or different language customers that force us to hire more people for tech support, translation, etc. Of course we focused on quality so that there were very few support issues.

        That Mythical Big Contract you talk about usually only comes after you ALREADY serve a sizable one.

        --
        No, you are mistaken. I've always had this sig.
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday July 04 2017, @04:14PM

    by Anonymous Coward on Tuesday July 04 2017, @04:14PM (#534819)

    we wouldn't need Russian antivirus to patch the holes.

  • (Score: 2, Interesting) by JustNiz on Tuesday July 04 2017, @04:19PM (1 child)

    by JustNiz (1573) on Tuesday July 04 2017, @04:19PM (#534821)

    Sure they could give them some nice clean source code. Whats to prove only it went to make the binary though?

    • (Score: 2) by butthurt on Tuesday July 04 2017, @06:41PM

      by butthurt (6141) on Tuesday July 04 2017, @06:41PM (#534875) Journal

      Good question. There's a notion called "reproducible builds" (perhaps known by other names too).

      A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

      -- https://reproducible-builds.org/docs/definition/ [reproducible-builds.org]

      I don't know whether Kaspersky Labs complies, or has been asked to comply, with that. Saying "Anything I can do to prove that we don’t behave maliciously I will do it" could be taken to mean that they would comply if asked to.

  • (Score: 2) by stretch611 on Tuesday July 04 2017, @04:22PM (3 children)

    by stretch611 (6199) on Tuesday July 04 2017, @04:22PM (#534823)

    When will they require this of election machine code?

    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @04:55PM

      by Anonymous Coward on Tuesday July 04 2017, @04:55PM (#534835)

      Never, if anything the government would get access to that source (which they likely already do), not the general public.

    • (Score: 2) by mcgrew on Tuesday July 04 2017, @05:28PM (1 child)

      by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday July 04 2017, @05:28PM (#534847) Homepage Journal

      As long as there are paper ballots that can later be counted by hand it isn't that important.

      --
      Free Martian whores! [mcgrewbooks.com]
      • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:39PM

        by Anonymous Coward on Tuesday July 04 2017, @06:39PM (#534874)

        It is important, because the government should not be allowed to use proprietary software at all, and certainly shouldn't be allowed to require others use it if they want to vote (even momentarily).

  • (Score: 0, Redundant) by JustNiz on Tuesday July 04 2017, @04:26PM (1 child)

    by JustNiz (1573) on Tuesday July 04 2017, @04:26PM (#534825)

    Sure they could show the government some nice clean source code. Whats to prove it (and only it) went to make the binary though?

    • (Score: 2) by tangomargarine on Wednesday July 05 2017, @03:03PM

      by tangomargarine (667) on Wednesday July 05 2017, @03:03PM (#535216)

      Presumably they would include the exact build process they use to produce the binary. Then you take the source code, do the build yourself, and checksum the two binaries. If they match, they're being honest.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @08:25PM

    by Anonymous Coward on Tuesday July 04 2017, @08:25PM (#534914)

    What if hostilities do break out? Americans who use Russian software and Russians who use American software are one malicious update away from being pwn3d.

(1)