Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday July 04 2017, @08:19AM   Printer-friendly
from the here-nsa-take-my-source-code dept.
Kaspersky Willing to Hand Source Code Over to U.S. Government

Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:

Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.

"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.

"Anything I can do to prove that we don't behave maliciously I will do it."

Also at Neowin.

In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government

Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.

On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.

The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."

Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.

Source: Gizmodo


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by zocalo on Tuesday July 04 2017, @09:17AM (17 children)

    by zocalo (302) on Tuesday July 04 2017, @09:17AM (#534738)
    I really don't see what is "worrisome" about this, at least not for Kaspersky. It's hardly novel for a close source software or hardware company to turn over their code for inspection by government agencies or their designated external auditors; even the likes of Microsoft have done it when it came down to either that or losing out on suitably large potential markets for their products. Huawei was extremely vocal about their offer to do the same in an attempt to assuage Western governments that their hardware was safe when they were first trying to get established in the West - supposedly even to the point of providing the source to compile the firmware for some major contracts (which does nothing for anything that might be baked into the chips, of course).

    Factor in that this is likely to only happen under controlled conditions with all code requests logged and backed up with NDAs and other legal agreements to discourage anyone from thinking that they could leak some (or all) of the code and get away with it, and there's really quite minimal risk for Kaspersky here. The potential pay off though is huge; how many PCs and other devices (Kaspersky supports mobile devices too) that could potentially be running a licensed copy of Kaspersky AV does the US Government have, all told? Tens of millions seems quite likely, and that's going to add up to quite a large chunk of on-going revenue when you factor in their annual update subscription pricing model, and Kasperspky also gets a unique selling point out of the deal: The US will have auditted their code (on their dime too!) and would have a very good idea how the quality of the code, possibly even advising Kaspersky of any potential coding flaws they might have identified - how many of the Western based competitors would be in a position to claim that?
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @09:36AM (8 children)

    by Anonymous Coward on Tuesday July 04 2017, @09:36AM (#534744)

    It's very simple. The government should not be banning software without effectively irrefutable evidence of malfeasance. In this case it's clear such evidence does not exist. There's no security through obscurity here. If the government had solid evidence then source access would be more than sufficient to confirm or deny their suspicions. We are, terrifyingly naturally, turning into a country where people and companies who fall out of favor with 'the powers that be' are guilty until proven innocent. Pair this with the fact that we are now also increasingly more willing to shoot first and ask questions later, even preemptively, is making this a very dangerous path to go down.

    • (Score: 2) by takyon on Tuesday July 04 2017, @12:42PM

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Tuesday July 04 2017, @12:42PM (#534777) Journal

      The government should not be banning software without effectively irrefutable evidence of malfeasance.

      Are they banning you from running Kaspersky or are they banning it on their own computers?

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 2) by Wootery on Tuesday July 04 2017, @12:49PM (1 child)

      by Wootery (2341) on Tuesday July 04 2017, @12:49PM (#534779)

      The government should not be banning software without effectively irrefutable evidence of malfeasance.

      Disagree. We're not talking about a criminal trial here.

      If you want to join the military, they have a list of things that can immediately disqualify you. That's not because they mean you're definitely going to screw things up, it's more of a precaution. Is that totally unreasonable? No. It's just being practical.

      • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @06:03PM

        by Anonymous Coward on Tuesday July 04 2017, @06:03PM (#534859)

        Those qualifications are specifically related to your performance. I think the analog would be more along the lines here is if the military started refusing admittance from anybody who was more than 1/8th Russian - even if they're a second generation American. I think it's perfectly reasonable to ban or restrict on just about anything that has a real and viable issue, but in this case it seems the only reason for banning Kaspersky was because it's developed by a Russian company.

    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @01:01PM (2 children)

      by Anonymous Coward on Tuesday July 04 2017, @01:01PM (#534783)

      It's very simple. The government should not be banning software without effectively irrefutable evidence of malfeasance.

      So you say the government should not be free to decide what they run on their own computers?

      • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @05:57PM (1 child)

        by Anonymous Coward on Tuesday July 04 2017, @05:57PM (#534856)

        They absolutely should. That is rather the point.

        Banning software specifically prevents organizations from making their own decisions. To make matters even worse, these top-down level decisions are almost invariably based more on xenophobia and politics than valid concern. Hence the reason we have no Chinese astronauts on the ISS for example.

        • (Score: 2) by frojack on Tuesday July 04 2017, @06:36PM

          by frojack (1554) on Tuesday July 04 2017, @06:36PM (#534871) Journal

          You're the only one tossing around this banning word.

          You, your school, your city planning department, the church, the dry-cleaners, can pretty much use any Kaspersky software they want. Its freely available. Its not Banned.

          The General Services Admin does the purchasing for the US Government. Even top secret purchases go through the GSA (special branch). If they have orders not to buy Kaspersky then that's the way it is. Organizations within the US Government should definitely NOT be "making their own decisions" any more than they should be rolling their own encryption algorithms.

          --
          No, you are mistaken. I've always had this sig.
    • (Score: 1, Insightful) by Anonymous Coward on Tuesday July 04 2017, @06:31PM (1 child)

      by Anonymous Coward on Tuesday July 04 2017, @06:31PM (#534867)

      It should be illegal for the government to use any proprietary software, since the government should encourage freedom, independence, and education; proprietary software laughs in the face of all of those things. Additionally, our government should not be dependent on large corporations to do their computing and should be able to hire anyone they want to develop a piece of software.

      • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @04:34PM

        by Anonymous Coward on Wednesday July 05 2017, @04:34PM (#535255)

        but it's patriotic to use american (yes, The America, motherfuckers!) slaveware to deny american children the technical knowledge necessary to free themselves from the tax funded plantation!

  • (Score: 2) by inertnet on Tuesday July 04 2017, @10:07AM (5 children)

    by inertnet (4071) on Tuesday July 04 2017, @10:07AM (#534748) Journal

    So for instance, it would also be a good thing if the European Union demanded the same from American companies?

    • (Score: 1, Informative) by Anonymous Coward on Tuesday July 04 2017, @10:35AM

      by Anonymous Coward on Tuesday July 04 2017, @10:35AM (#534756)

      So for instance, it would also be a good thing if the European Union demanded the same from American companies?

      Err, it happens?

      https://arstechnica.com/uncategorized/2006/01/6048-2/ [arstechnica.com]
      http://www.pcworld.com/article/2931212/microsoft-lets-eu-governments-inspect-source-code-for-security-issues.html [pcworld.com]

    • (Score: 2) by zocalo on Tuesday July 04 2017, @10:53AM

      by zocalo (302) on Tuesday July 04 2017, @10:53AM (#534759)
      Sure, and as the AC noted, it happens already. For better or worse systems are getting increasingly connected, so the previous approach of "it's air gapped so security doesn't matter quite so much" (which in practice often meant "at all") is becoming less and less relevant. If you are not assuming that the systems you are deploying might have a backdoor - whether deliberately or through incompetence/bugs - and taking any steps you can to mitigate against that then you're doing it wrong. If you're big enough and really have not choice but a closed source solution, then requesting to see the source under NDA, and maybe even compile your own binaries from it in some cases, should absolutely be part of that mitigation, regardless of where you and your supplier are based - and yes, that includes US-US, EU-EU, etc.
      --
      UNIX? They're not even circumcised! Savages!
    • (Score: 2) by mcgrew on Tuesday July 04 2017, @05:26PM (1 child)

      by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday July 04 2017, @05:26PM (#534845) Homepage Journal

      Actually, I think it's foolish for any government to use ANY foreign hardware or code. If I were the EU I'd certainly not use American software and Chinese computers.

      --
      mcgrewbooks.com mcgrew.info nooze.org
    • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @01:14AM

      by Anonymous Coward on Wednesday July 05 2017, @01:14AM (#535001)

      It would be good for the EU.

      It would be bad for American companies and their nation. American companies should resist. The US government should apply pressure to the companies to help them resist, and should apply pressure to the EU to discourage the EU from demanding source code.

      Maybe one government caves in exchange for something completely unrelated. Protection of geographic identifiers for example could be adopted by the US or dropped by the EU. Maybe one side buys aircraft from the other. Maybe the EU accepts freedom of speech or the US shuts it down.

  • (Score: 4, Informative) by Spamalope on Tuesday July 04 2017, @01:32PM (1 child)

    by Spamalope (5233) on Tuesday July 04 2017, @01:32PM (#534790) Homepage

    Worrisome?
    3 letter agencies use the source code to craft malware it won't detect and to better search for ways to exploit it?
    They're going to try at least.

    • (Score: 2) by fraxinus-tree on Wednesday July 05 2017, @09:34AM

      by fraxinus-tree (5590) on Wednesday July 05 2017, @09:34AM (#535119)

      3-letter and 4-letter agencies of major world powers (at least down to and including Russia) have the source code of almost anything of interest anyway. There is an established culture of "trading" these things between them even outside usual allies.