Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday July 04 2017, @08:19AM   Printer-friendly
from the here-nsa-take-my-source-code dept.
Kaspersky Willing to Hand Source Code Over to U.S. Government

Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:

Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.

"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.

"Anything I can do to prove that we don't behave maliciously I will do it."

Also at Neowin.

In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government

Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.

On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.

The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."

Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.

Source: Gizmodo


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by frojack on Tuesday July 04 2017, @06:18PM (1 child)

    by frojack (1554) on Tuesday July 04 2017, @06:18PM (#534863) Journal

    Given that could be as simple as failing to include some detection signatures for the FSB's equivalent of the NSA's hacking tool suite that had better include some kind of defence in depth

    Since the signatures are updated in near real time, providing them at all is pointless.

    The engine, however would be very worthwhile to audit, so that you could see what telemetry it is sending back, how, (or if) that is encrypted, and the keys used for encryption, etc.

    After all, a "security" product doesn't have to be perfect (especially in a constantly changing world) it just has to NOT be a BEACHHEAD.

    Obtaining the signatures structure specifications, so that you could create your own signature addendums would be useful too.

    The problem I see is the US Government's inability to prevent leaks means that ALL of this information ends up in the blackhat hands in short order. Who's to say the US Government aren't the worst blackhats in the world?

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by zocalo on Tuesday July 04 2017, @07:01PM

    by zocalo (302) on Tuesday July 04 2017, @07:01PM (#534890)
    Yeah, that's kind of my point. Valuable as a code audit of an AV package might be to check for backdoors, flaws, telemetry, etc., it's not really going to do anything to assure you that the software won't turn a blind eye to any government malware they've been forced to ignore. Even if you were to try and audit the signatures - Sisyphean task that it is - it would be rather tricky to determine not only that it omitted a signature for a 0day but that the omission was deliberate when no one else is aware of it yet either. That's where the defence in depth comes in; even clueful home users are not just are relying on an AV package anymore; as a minimum they'll usually also have a firewall, and maybe a script blocker plus some other tools running as well, so if one link does fail the others can hopefully pick up the slack, or at least minimise the damage. Any corporation or government agency that isn't doing alll that and more already probably isn't going to benefit from a code audit anyway - if anything, it'll just give them a false sense of security.
    --
    UNIX? They're not even circumcised! Savages!