Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday July 04 2017, @08:19AM   Printer-friendly
from the here-nsa-take-my-source-code dept.
Kaspersky Willing to Hand Source Code Over to U.S. Government

Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:

Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.

"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.

"Anything I can do to prove that we don't behave maliciously I will do it."

Also at Neowin.

In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government

Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.

On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.

The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."

Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.

Source: Gizmodo


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @09:06AM (7 children)

    by Anonymous Coward on Tuesday July 04 2017, @09:06AM (#534736)

    Which department of the US government is going to audit the code? They better be fluent in Russian because I doubt Kaspersky wrote their variable names & comments in English.

    And how will they know that they got is the same/complete source code used in the available Kaspersky product line? Different versions of libraries, etc will make it hard for the US to compile/produce an exact duplicate of the products shipped by Kaspersky. I'm not saying it can't be done - just that the US government aren't exactly competent when it comes to technology.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1  
  • (Score: 4, Interesting) by zocalo on Tuesday July 04 2017, @09:41AM (3 children)

    by zocalo (302) on Tuesday July 04 2017, @09:41AM (#534746)
    Depends how far Kaspersky is willing to go in order to try and secure a US Government contract. I was involved in some early discussions with Huawei back when they were first starting to get involved in selling to the West and there was all that talk about how the Chinese might have backdoored the products; a very valid concern for us since the proposed deployment would have been on a major national infrastructure project. Besides making a similar offer to Kaspesky - turning over all their code and so on to GCHQ for inspection in our case - they were also apparently quite willing to help setup the necessary build infrastructure for us to roll our own firmware from their code, and didn't rule out a suggestion of some customisation like dropping functionality we wouldn't need to reduce the attack surface and so on. In our case we didn't really need to pursue that to the point of getting a contract thrashed out - just make it clear that the offer was on the table and roughly how it would work - but it should be entirely possible for the US to do something similar with Kaspersky if both parties are amienable to it.

    As you note though, that still leaves the question of whether the US has anyone competent enough to do it in a way that ensures the process can't be backdoored in the event that Kaspersky does end up under the thumb of the Russian government at some point. Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth strategy that doesn't mean that any specific link the the security chain failing is a major problem, but if you can do that then the need for the audit of Kaspersky's code is mostly moot anyway.
    --
    UNIX? They're not even circumcised! Savages!
    • (Score: 1, Interesting) by Anonymous Coward on Tuesday July 04 2017, @02:07PM

      by Anonymous Coward on Tuesday July 04 2017, @02:07PM (#534794)

      Of course Hua;wei is willing to provide code, and even let you compile it yourself. The backdoors are built into the hardware, the code doesn't matter.

    • (Score: 2) by frojack on Tuesday July 04 2017, @06:18PM (1 child)

      by frojack (1554) on Tuesday July 04 2017, @06:18PM (#534863) Journal

      Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth

      Since the signatures are updated in near real time, providing them at all is pointless.

      The engine, however would be very worthwhile to audit, so that you could see what telemetry it is sending back, how, (or if) that is encrypted, and the keys used for encryption, etc.

      After all, a "security" product doesn't have to be perfect (especially in a constantly changing world) it just has to NOT be a BEACHHEAD.

      Obtaining the signatures structure specifications, so that you could create your own signature addendums would be useful too.

      The problem I see is the US Government's inability to prevent leaks means that ALL of this information ends up in the blackhat hands in short order. Who's to say the US Government aren't the worst blackhats in the world?

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by zocalo on Tuesday July 04 2017, @07:01PM

        by zocalo (302) on Tuesday July 04 2017, @07:01PM (#534890)
        Yeah, that's kind of my point. Valuable as a code audit of an AV package might be to check for backdoors, flaws, telemetry, etc., it's not really going to do anything to assure you that the software won't turn a blind eye to any government malware they've been forced to ignore. Even if you were to try and audit the signatures - Sisyphean task that it is - it would be rather tricky to determine not only that it omitted a signature for a 0day but that the omission was deliberate when no one else is aware of it yet either. That's where the defence in depth comes in; even clueful home users are not just are relying on an AV package anymore; as a minimum they'll usually also have a firewall, and maybe a script blocker plus some other tools running as well, so if one link does fail the others can hopefully pick up the slack, or at least minimise the damage. Any corporation or government agency that isn't doing alll that and more already probably isn't going to benefit from a code audit anyway - if anything, it'll just give them a false sense of security.
        --
        UNIX? They're not even circumcised! Savages!
  • (Score: 3, Informative) by Runaway1956 on Tuesday July 04 2017, @10:24AM

    by Runaway1956 (2926) Subscriber Badge on Tuesday July 04 2017, @10:24AM (#534750) Journal

    The Department of the Navy has boatloads of cryptography techs who are fluent in Russian, if no other department has them. I can't say how many CT's are also programmers, or competent to audit code, but some of them are.

  • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @12:54PM

    by Anonymous Coward on Tuesday July 04 2017, @12:54PM (#534781)

    Which department of the US government is going to audit the code? They better be fluent in Russian because I doubt Kaspersky wrote their variable names & comments in English.

    If you want to be sure, you have to understand the actual code anyway. Variable names and comments could be misleading (accidentally or intentionally). Only the information that ends up in the compiled and executed code is really relevant.

  • (Score: 4, Informative) by fraxinus-tree on Tuesday July 04 2017, @02:33PM

    by fraxinus-tree (5590) on Tuesday July 04 2017, @02:33PM (#534800)

    My native language (Bulgarian) also uses Cyrillic alphabet (well, it is Russian that is an old pirated version of it) and I can assure you that most program code I have seen has pretty much English identifiers and (if any) English comments. It is just a major hassle to switch both your keyboard and your brain to something THAT MUCH different.