Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:
Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.
"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.
"Anything I can do to prove that we don't behave maliciously I will do it."
Also at Neowin.
In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government
Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.
On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.
The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."
Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.
Source: Gizmodo
Related Stories
According to emails from October 2009 obtained by Jordan Robertson and Michael Riley at Bloomberg it appears that Kaspersky Lab has been working with Russian Intelligence. Despite long standing rumours over these connections Eugene Kaspersky has always denied this to be the case, including as recently as last week in response to questions in the US Senate by Florida Republican Marco Rubio when he stated that "Claims about Kaspersky Lab's ties to the Kremlin are "unfounded conspiracy theories" and "total BS,"" on Reddit, and even offering to hand over the source code to the US Government for inspection.
While the exact nature of the co-operation with the FSB is still unclear, in the emails Kaspersky outlines a project undertaken in secret a year earlier "per a big request on the Lubyanka side," a reference to the FSB offices, that "includes both technology to protect against attacks (filters) as well as interaction with the hosters ('spreading' of sacrifice) and active countermeasures (about which, we keep quiet) and so on," Kaspersky wrote in one of the emails. Kaspersky Lab has confirmed that the emails are authentic. Whether this was legitimate work with the FSB in the prevention of cybercrime or securing FSB facilities or something more nefarious, it seems likely that this is not going to alleviate concerns over the use of their software putting further pressure on Kaspersky's business in other countries.
Exclusive: U.S. lawmakers urge AT&T to cut commercial ties with Huawei - sources
U.S. lawmakers are urging AT&T Inc, the No. 2 wireless carrier, to cut commercial ties to Chinese phone maker Huawei Technologies Co Ltd and oppose plans by telecom operator China Mobile Ltd to enter the U.S. market because of national security concerns, two congressional aides said.
[...] Earlier this month, AT&T was forced to scrap a plan to offer its customers Huawei handsets after some members of Congress lobbied against the idea with federal regulators, sources told Reuters.
The U.S. government has also blocked a string of Chinese acquisitions over national security concerns, including Ant Financial's proposed purchase of U.S. money transfer company MoneyGram International Inc.
The lawmakers are also advising U.S. firms that if they have ties to Huawei or China Mobile, it could hamper their ability to do business with the U.S. government, one aide said, requesting anonymity because they were not authorized to speak publicly.
Related: NSA Spied on Chinese Government and Huawei
Kaspersky Willing to Hand Source Code Over to U.S. Government
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products
US officials: Kaspersky "Slingshot" report burned anti-terror operation
A malware campaign discovered by researchers for Kaspersky Lab this month was in fact a US military operation, according to a report by CyberScoop's Chris Bing and Patrick Howell O'Neill. Unnamed US intelligence officials told CyberScoop that Kaspersky's report had exposed a long-running Joint Special Operations Command (JSOC) operation targeting the Islamic State and Al Qaeda.
The malware used in the campaign, according to the officials, was used to target computers in Internet cafés where it was believed individuals associated with the Islamic State and Al Qaeda would communicate with their organizations' leadership. Kaspersky's report showed Slingshot had targeted computers in countries where ISIS, Al Qaeda, and other radical Islamic terrorist groups have a presence or recruit: Afghanistan, Yemen, Iraq, Jordan, Turkey, Libya, Sudan, Somalia, Kenya, Tanzania, and the Democratic Republic of Congo.
The publication of the report, the officials contended, likely caused JSOC to abandon the operation and may have put the lives of soldiers fighting ISIS and Al Qaeda in danger. One former intelligence official told CyberScoop that it was standard operating procedure "to kill it all with fire once you get caught... It happens sometimes and we're accustomed to dealing with it. But it still sucks. I can tell you this didn't help anyone."
This is good malware. You can't expose the good malware!
Related: Kaspersky Claims to have Found NSA's Advanced Malware Trojan
Ties Alleged Between Kaspersky Lab and Russian Intelligence Agencies
Kaspersky Willing to Hand Source Code Over to U.S. Government
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products
Kaspersky Lab and Lax Contractor Blamed for Russian Acquisition of NSA Tools
(Score: 3, Insightful) by Anonymous Coward on Tuesday July 04 2017, @08:45AM (6 children)
In reading about our red scares in text books it always feels like some distant world. How could an entire country become so unjustly paranoid and throw out all notions of innocent until proven guilty?
It feels as though we're now going down what must have already happened in the past. Notions of innocent until proven guilty are gradually being replaced with swinging wild allegations and just hoping something will stick. And invariably something will stick if only because of the 6 degrees of separation effect. And that coincidence is in turned used to justify the allegations and support even more extreme allegations and investigations. We're now reaching the point that parties, who I will presume are innocent as they most certainly have not been proven guilty, are now having to volunteer to lay themselves bare in front of congress just to try reclaim the presumption of innocence that's been tossed aside for no apparent reason other than paranoia and politics.
It's kind of terrifying how gradual and 'normal' this all feels. Red scares, literal witch hunts, the inquisition, and so on. I wonder... did they all feel similarly natural? At this point I'd be more willing to have The Forbin Project making decisions than humans. We're too incapable of sticking to our ethical guidelines when going against them feels so right and so natural.
(Score: 5, Insightful) by lx on Tuesday July 04 2017, @09:12AM (1 child)
If you haven't noticed, the scare has been underway for a long time now. It is sad to see all Russians lumped in with the criminals around Putin.
On the other hand, looking in from outside I often find it difficult to distinguish between Americans and the shit your government pulls. [reuters.com] (Random recent example. The efforts under Dronemaster Barry were pretty bad as well)
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @04:41PM
There is 48+ percent of Americans who AREN'T any different from the policy America is pushing those years.
The only real difference is which ~48 percent it is.
It wasn't until this past election that I realized how true it was/had become in America. But the country has basically devolved into two giant sports teams screaming epithets at each other while trying to undo the other's policies, with no actual attention paid to what is best for America domestically and/or what is best for America internationally, both in providing continued bilateral international trade, as well as sufficient political capital to stay on cool to friendly terms with most of the international community.
War may be good for the arms business, but it is lousy for sustained and interconnected economic growth between otherwise culturally opposed countries.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @09:32AM
the media does not mean the whole country for fuck sake. the MSM just has a hardon for ratings, nothing more. the fact that this baseless nonsense is being talked about constantly without a single shred of fucking evidence outside of he-said-she-said should tell you all you need to know.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:27PM (1 child)
The real problem is that this is proprietary software and no one should trust it anyway. If they can't even be bothered to give their users freedom, then they are worthless and abusive.
(Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:27PM
yeah, the dumb whores in washington should be requiring source from all companies that want to sell software to tax payers. singling out kaspersky, under false pretenses, is disgustingly stupid. i've seen many indications in the past that, for slaveware peddlers, they at least try to do what they say they do (attempting to protect slaveOS).
(Score: 2) by Reziac on Wednesday July 05 2017, @03:22AM
Unjustly??
https://www.youtube.com/watch?v=y3qkf3bajd4 [youtube.com]
And there is no Alkibiades to come back and save us from ourselves.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @09:06AM (7 children)
Which department of the US government is going to audit the code? They better be fluent in Russian because I doubt Kaspersky wrote their variable names & comments in English.
And how will they know that they got is the same/complete source code used in the available Kaspersky product line? Different versions of libraries, etc will make it hard for the US to compile/produce an exact duplicate of the products shipped by Kaspersky. I'm not saying it can't be done - just that the US government aren't exactly competent when it comes to technology.
(Score: 4, Interesting) by zocalo on Tuesday July 04 2017, @09:41AM (3 children)
As you note though, that still leaves the question of whether the US has anyone competent enough to do it in a way that ensures the process can't be backdoored in the event that Kaspersky does end up under the thumb of the Russian government at some point. Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth strategy that doesn't mean that any specific link the the security chain failing is a major problem, but if you can do that then the need for the audit of Kaspersky's code is mostly moot anyway.
UNIX? They're not even circumcised! Savages!
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @02:07PM
Of course Hua;wei is willing to provide code, and even let you compile it yourself. The backdoors are built into the hardware, the code doesn't matter.
(Score: 2) by frojack on Tuesday July 04 2017, @06:18PM (1 child)
Since the signatures are updated in near real time, providing them at all is pointless.
The engine, however would be very worthwhile to audit, so that you could see what telemetry it is sending back, how, (or if) that is encrypted, and the keys used for encryption, etc.
After all, a "security" product doesn't have to be perfect (especially in a constantly changing world) it just has to NOT be a BEACHHEAD.
Obtaining the signatures structure specifications, so that you could create your own signature addendums would be useful too.
The problem I see is the US Government's inability to prevent leaks means that ALL of this information ends up in the blackhat hands in short order. Who's to say the US Government aren't the worst blackhats in the world?
No, you are mistaken. I've always had this sig.
(Score: 2) by zocalo on Tuesday July 04 2017, @07:01PM
UNIX? They're not even circumcised! Savages!
(Score: 3, Informative) by Runaway1956 on Tuesday July 04 2017, @10:24AM
The Department of the Navy has boatloads of cryptography techs who are fluent in Russian, if no other department has them. I can't say how many CT's are also programmers, or competent to audit code, but some of them are.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @12:54PM
If you want to be sure, you have to understand the actual code anyway. Variable names and comments could be misleading (accidentally or intentionally). Only the information that ends up in the compiled and executed code is really relevant.
(Score: 4, Informative) by fraxinus-tree on Tuesday July 04 2017, @02:33PM
My native language (Bulgarian) also uses Cyrillic alphabet (well, it is Russian that is an old pirated version of it) and I can assure you that most program code I have seen has pretty much English identifiers and (if any) English comments. It is just a major hassle to switch both your keyboard and your brain to something THAT MUCH different.
(Score: 2) by zocalo on Tuesday July 04 2017, @09:17AM (17 children)
Factor in that this is likely to only happen under controlled conditions with all code requests logged and backed up with NDAs and other legal agreements to discourage anyone from thinking that they could leak some (or all) of the code and get away with it, and there's really quite minimal risk for Kaspersky here. The potential pay off though is huge; how many PCs and other devices (Kaspersky supports mobile devices too) that could potentially be running a licensed copy of Kaspersky AV does the US Government have, all told? Tens of millions seems quite likely, and that's going to add up to quite a large chunk of on-going revenue when you factor in their annual update subscription pricing model, and Kasperspky also gets a unique selling point out of the deal: The US will have auditted their code (on their dime too!) and would have a very good idea how the quality of the code, possibly even advising Kaspersky of any potential coding flaws they might have identified - how many of the Western based competitors would be in a position to claim that?
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @09:36AM (8 children)
It's very simple. The government should not be banning software without effectively irrefutable evidence of malfeasance. In this case it's clear such evidence does not exist. There's no security through obscurity here. If the government had solid evidence then source access would be more than sufficient to confirm or deny their suspicions. We are, terrifyingly naturally, turning into a country where people and companies who fall out of favor with 'the powers that be' are guilty until proven innocent. Pair this with the fact that we are now also increasingly more willing to shoot first and ask questions later, even preemptively, is making this a very dangerous path to go down.
(Score: 2) by takyon on Tuesday July 04 2017, @12:42PM
Are they banning you from running Kaspersky or are they banning it on their own computers?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Wootery on Tuesday July 04 2017, @12:49PM (1 child)
Disagree. We're not talking about a criminal trial here.
If you want to join the military, they have a list of things that can immediately disqualify you. That's not because they mean you're definitely going to screw things up, it's more of a precaution. Is that totally unreasonable? No. It's just being practical.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:03PM
Those qualifications are specifically related to your performance. I think the analog would be more along the lines here is if the military started refusing admittance from anybody who was more than 1/8th Russian - even if they're a second generation American. I think it's perfectly reasonable to ban or restrict on just about anything that has a real and viable issue, but in this case it seems the only reason for banning Kaspersky was because it's developed by a Russian company.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @01:01PM (2 children)
So you say the government should not be free to decide what they run on their own computers?
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @05:57PM (1 child)
They absolutely should. That is rather the point.
Banning software specifically prevents organizations from making their own decisions. To make matters even worse, these top-down level decisions are almost invariably based more on xenophobia and politics than valid concern. Hence the reason we have no Chinese astronauts on the ISS for example.
(Score: 2) by frojack on Tuesday July 04 2017, @06:36PM
You're the only one tossing around this banning word.
You, your school, your city planning department, the church, the dry-cleaners, can pretty much use any Kaspersky software they want. Its freely available. Its not Banned.
The General Services Admin does the purchasing for the US Government. Even top secret purchases go through the GSA (special branch). If they have orders not to buy Kaspersky then that's the way it is. Organizations within the US Government should definitely NOT be "making their own decisions" any more than they should be rolling their own encryption algorithms.
No, you are mistaken. I've always had this sig.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 04 2017, @06:31PM (1 child)
It should be illegal for the government to use any proprietary software, since the government should encourage freedom, independence, and education; proprietary software laughs in the face of all of those things. Additionally, our government should not be dependent on large corporations to do their computing and should be able to hire anyone they want to develop a piece of software.
(Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:34PM
but it's patriotic to use american (yes, The America, motherfuckers!) slaveware to deny american children the technical knowledge necessary to free themselves from the tax funded plantation!
(Score: 2) by inertnet on Tuesday July 04 2017, @10:07AM (5 children)
So for instance, it would also be a good thing if the European Union demanded the same from American companies?
(Score: 1, Informative) by Anonymous Coward on Tuesday July 04 2017, @10:35AM
Err, it happens?
https://arstechnica.com/uncategorized/2006/01/6048-2/ [arstechnica.com]
http://www.pcworld.com/article/2931212/microsoft-lets-eu-governments-inspect-source-code-for-security-issues.html [pcworld.com]
(Score: 2) by zocalo on Tuesday July 04 2017, @10:53AM
UNIX? They're not even circumcised! Savages!
(Score: 2) by mcgrew on Tuesday July 04 2017, @05:26PM (1 child)
Actually, I think it's foolish for any government to use ANY foreign hardware or code. If I were the EU I'd certainly not use American software and Chinese computers.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by frojack on Tuesday July 04 2017, @06:46PM
Yes you would, because you'd be constrained by the same low-bid laws and interoperability requirements as any other country or organization.
https://en.wikipedia.org/wiki/List_of_laptop_brands_and_manufacturers [wikipedia.org]
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday July 05 2017, @01:14AM
It would be good for the EU.
It would be bad for American companies and their nation. American companies should resist. The US government should apply pressure to the companies to help them resist, and should apply pressure to the EU to discourage the EU from demanding source code.
Maybe one government caves in exchange for something completely unrelated. Protection of geographic identifiers for example could be adopted by the US or dropped by the EU. Maybe one side buys aircraft from the other. Maybe the EU accepts freedom of speech or the US shuts it down.
(Score: 4, Informative) by Spamalope on Tuesday July 04 2017, @01:32PM (1 child)
Worrisome?
3 letter agencies use the source code to craft malware it won't detect and to better search for ways to exploit it?
They're going to try at least.
(Score: 2) by fraxinus-tree on Wednesday July 05 2017, @09:34AM
3-letter and 4-letter agencies of major world powers (at least down to and including Russia) have the source code of almost anything of interest anyway. There is an established culture of "trading" these things between them even outside usual allies.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday July 04 2017, @10:29AM (5 children)
Not that I use their products but that's the end of any potential relationship with me. I'd much rather have the Russians hacking my shat than my own government. The Russians don't give two fucks about me and are in no position to do anything about anything they find.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @11:16AM (3 children)
Emptying out your bank account. Using your machine for a DDOS attack, trojan C&C relay, or whatever. Sending trojaned emails to all your acquaitances.
To me, it seems anyone in control of your system is in a position to do plenty to you.
(Score: 2) by The Mighty Buzzard on Tuesday July 04 2017, @12:03PM (2 children)
Russian state actors ain't gonna do them type o things. They might at most use the box to launch an attack on infrastructure. Which is the concern of the infrastructure admins not mine.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @03:37PM (1 child)
Until that infrastructure is the one that runs your banking or the one that runs logistics that delivers food to your city. Are you an anti-vaxer or something because that's kinda the thinking they use.
(Score: 2) by The Mighty Buzzard on Tuesday July 04 2017, @06:11PM
Irrelevant. There's nothing gained by launching a hack from my box as opposed to the gerzillions of other devices they have rooted already. I have nothing Russia cares about.
Now US politicians, they desperately want my 4th Amendment rights. Both sides of the aisle do, though the right are pushing for them slightly harder.
My rights don't end where your fear begins.
(Score: 2) by frojack on Tuesday July 04 2017, @06:50PM
This.
This is why I use Yandex. I'm sure its not more private or secure than Google (from whence they stole most of their code) but a US warrant doesn't reach there, and a Russian one doesn't reach here.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @11:03AM
Great Mother America announced today that Kaspersky Lab has partnered with the department of state security to bring security to all citizens, the software is now mandatory for the security of the state, also pick up that can
(Score: 2) by jmorris on Tuesday July 04 2017, @12:26PM (6 children)
Closed source software only came about as an accident of compilers and a severe monoculture in processor arches.
In a sane world copyright would only cover binaries as derived works, source would be the thing protected. Every customer would get a copy and we would all be super Gentoo "Ricers" compiling a local copy of the binary (when needed) during the installation process. You could look at it, make local changes, etc. but you could no more pass around the source to Quicken than you can pass around the current binary only copies. But most important, what it does would be knowable and keeping software running as the underlying hardware and OS changes over time would be possible beyond the short time the original author cares enough to expend the effort.
Remember, copyrights and patents are permitted to promote advancement in Science and the Useful Arts. Keeping it secret defeats that purpose.
(Score: 2) by jcross on Tuesday July 04 2017, @01:11PM (3 children)
I don't know, another advantage of binaries is that they help keep "trade secrets". Of course they can be decompiled, but at least there's some barrier to discovery of your private algorithms. That would also have been a bigger deal back in the day when programs were smaller and did clever things to conserve resources, and a single algorithm might have value. Nowadays programs are so bloated with glue code that can't be usefully extracted from the original project that I think what you're proposing could work. The only issue is distributing a build environment, or having one that's standardized enough, and also that the binary might be a good deal smaller and saves the workload of compiling a huge product. Something tells me Quicken would take some time to build from scratch.
(Score: 2) by jmorris on Tuesday July 04 2017, @05:23PM (2 children)
I'm sure they love protecting their secrets. But where is the public interest in that? Remember "Intellectual Property" is a lie, RMS is dead right on that one. We grant Copyright and Patents, for limited times, as a cold transaction to improve progress in Science and the Useful Arts. If they get the protection of the government monopoly grant AND keep it secret it is a loss for everyone else.
Plus forced publication has other benefits. The horrid state of IT security long since became a national security problem. Publication would force commercial vendors to at least bring their standards up to the levels of the Open Source community. Imagine if routine product reviews also included commentary on the quality (or lack thereof) of the source. Would YOU buy an accounting or ERP system if the reviews said things like "horrid mess of barely legible VB" or "we could find multiple security exploits in a half hour of poking around in this fetid bog of .net splicing together a half dozen different other platforms, frameworks and languages that was obviously congealed over a decade of neglect by multiple corporate overlords as it was passed from one charnel house to another, accreting bits of other defunct products, poorly stuffed together by contract code monkeys in every time zone who knew they wouldn't have to deal with the mess in a year." Much more useful than only looking at the final user interface.
(Score: 2) by jcross on Tuesday July 04 2017, @05:46PM (1 child)
I couldn't agree with you more about closed-source running counter to the public benefit, and thankfully the market does seem to be transitioning away from it. Of course the new kid on the block would be SaaS, which just doubles down on the secrecy. I'd love to be in a position to diss on that with a clear conscience, but unfortunately it pays my bills at the moment.
(Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:45PM
don't be a hooker.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:34PM
In a sane world, all software would be Free Software. What you describe is still non-free proprietary user-subjugating software because it doesn't respect the users' four freedoms, and so it remains intolerable.
(Score: 2) by frojack on Tuesday July 04 2017, @06:57PM
The net result would be the same as we currently have. 99.44% of computers would be running standardized versions from the original providers or companies specializing in knock-offs.
Look most people can't follow a recipe to make a chocolate cake, or fix a plumbing leak. You want to turn them all to coders?
And nobody in their right mind would pass around the source code of Quicken. Its utter garbage.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @02:17PM (2 children)
https://www.techdirt.com/articles/20170624/13334837657/to-avoid-being-cut-out-market-us-tech-companies-are-allowing-russian-vetting-source-code.shtml [techdirt.com]
Russian's have been doing it too.
(Score: 2) by Unixnut on Tuesday July 04 2017, @04:07PM (1 child)
> Russian's have been doing it too.
Everyone does it. Or rather, everyone would do it if they could. If you are offered up a juicy state/corporate contract, but they want to do an audit of your code, you can walk away, or play ball.
Your code (IP) is worth something to you. What it is worth is how much money you can get for it (or the service it provides).
For simplicities sake lets say that apart from this fat contract for $$$$, you have not got much else on. This is your companies big break. If you refuse the audit, and lose out on a contract, your code is essentially worthless, so what was the point of protecting it so strongly?
However if you allow the audit, open up, and get the contract, the code is now worth a lot more, because it has earned you $$$$. Sure, it is less protected now, so there is the risk others may find out your secret sauce, but had you not opened it up, the secret sauce would never have been worth much in the first place.
This way, you got $$$$ for the code, now others can see it, and possibly pinch ideas. However the code earned you money, feel free to enjoy the money,, or plow the money back into making the code even better, kick starting the cycle again.
Some times it makes sense to allow people to look at your code (especially as you can bind them under NDAs) if it will further your goals (which in this case, is to make money). As Techies we sometimes put far more emphasis of the code's worth as code, rather than as its ability to make money, which is what others primarily judge it upon.
(Score: 2) by frojack on Tuesday July 04 2017, @07:15PM
What you say makes sense for Joe and Bob, Programmers from the Garage.
But if you already have a reasonable market for a product, that contract will have to be REALLY REALLY big to make it worth the while.
Selling 200 extra copies to East Bangladesh is NOT that attractive. Neither are 2 AM Tech support calls.
In my day job, a decade ago, we refused source code turn over to Lebanon, and we provided source code to California (and regretted it when we found the source code in Google), and accepted Code Escrow agreements with 3 different State Governments and one Canadian Province. (We already had that set up, it was easy to add another name).
In addition, our company always had a fear of "Growing to Death", gaining more customers than we could support or different language customers that force us to hire more people for tech support, translation, etc. Of course we focused on quality so that there were very few support issues.
That Mythical Big Contract you talk about usually only comes after you ALREADY serve a sizable one.
No, you are mistaken. I've always had this sig.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 04 2017, @04:14PM
we wouldn't need Russian antivirus to patch the holes.
(Score: 2, Interesting) by JustNiz on Tuesday July 04 2017, @04:19PM (1 child)
Sure they could give them some nice clean source code. Whats to prove only it went to make the binary though?
(Score: 2) by butthurt on Tuesday July 04 2017, @06:41PM
Good question. There's a notion called "reproducible builds" (perhaps known by other names too).
-- https://reproducible-builds.org/docs/definition/ [reproducible-builds.org]
I don't know whether Kaspersky Labs complies, or has been asked to comply, with that. Saying "Anything I can do to prove that we don’t behave maliciously I will do it" could be taken to mean that they would comply if asked to.
(Score: 2) by stretch611 on Tuesday July 04 2017, @04:22PM (3 children)
When will they require this of election machine code?
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @04:55PM
Never, if anything the government would get access to that source (which they likely already do), not the general public.
(Score: 2) by mcgrew on Tuesday July 04 2017, @05:28PM (1 child)
As long as there are paper ballots that can later be counted by hand it isn't that important.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:39PM
It is important, because the government should not be allowed to use proprietary software at all, and certainly shouldn't be allowed to require others use it if they want to vote (even momentarily).
(Score: 0, Redundant) by JustNiz on Tuesday July 04 2017, @04:26PM (1 child)
Sure they could show the government some nice clean source code. Whats to prove it (and only it) went to make the binary though?
(Score: 2) by tangomargarine on Wednesday July 05 2017, @03:03PM
Presumably they would include the exact build process they use to produce the binary. Then you take the source code, do the build yourself, and checksum the two binaries. If they match, they're being honest.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @08:25PM
What if hostilities do break out? Americans who use Russian software and Russians who use American software are one malicious update away from being pwn3d.