Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Government Security Politics

'US Intelligence Agencies Should Put Up Or Shut Up With Kaspersky Rumors' (csoonline.com) 115

itwbennett writes: As previously reported on Slashdot, U.S. intelligence agencies have warned against using Kaspersky software amid swirling rumors of ties between Kaspersky Lab executives and the Russian government. White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec. 'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products. The fact that the government hasn't done so makes it likely this is all just geo politics,' writes Rashid. 'There is enough FUD in the market without throwing in politics into decision-making. Organizations should focus on deploying the technology which best addresses their needs.'
This discussion has been archived. No new comments can be posted.

'US Intelligence Agencies Should Put Up Or Shut Up With Kaspersky Rumors'

Comments Filter:
  • by Revek ( 133289 ) on Friday August 25, 2017 @10:30AM (#55083107)

    Not an outright lie, more like some ignorant interpretation of the facts. A straw man to distract people from the Illegal hacking that our own government does to 'protect' us.

    • Any sort of condemnation of a tech company by a U.S. Intelligence agency should be easily spun into a positive selling feature for said company. If the CIA / NSA / 3 letter agency is publicly denouncing your organization, then it's almost certain that they're unable to install their backdoors / rootkit / keyloggers on whatever that company has to sell.
    • rob. you are so in over your head.
  • makes it likely this is all just geo politics

    "Just" geopolitics. I like that.

    It's merely two countries with vast nuclear arsenals and unstable leaders trying to destabilize each other. What could go wrong?

  • 'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products.

    While I wholeheartedly agree with this statement, I will not be surprised if this administration uses the line, "Sharing more of what we already have divulged, will be tantamount to giving up our sources and methods.

    BTW, this line was used by Obama administration as well, when they were talking about Russian involvement in last year's elections.

    How it makes sense, I cannot figure out.

    • by mark-t ( 151149 )
      It makes perfect sense if it was actually a complete fabrication
    • Re: (Score:3, Insightful)

      BTW, this line was used by Obama administration as well, when they were talking about Russian involvement in last year's elections.

      How it makes sense, I cannot figure out.

      I recall that. If one wants the gov to 'put up or shut up' regarding evidence for Kapersky, they should want the same regarding evidence regarding Trump and Russia, but the media seems to be fine with insinuations, a lot more to assume that way.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I believe there is an investigation right now into whether there is evidence of collusion between Trump and Russia.

        • I believe there is an investigation right now into whether there is evidence of collusion between Trump and Russia.

          You are being entirely too sensible - knock it off.

    • by Gr8Apes ( 679165 )

      Suppose that the information was retrieved from the SSL connection to Kapersky's servers. If so, then they'd have admitted that they either have compromised Kapersky's certificates (unlikely) or they have a standard MITM attack vector for all SSL connections (a lot more likely, as it's based on trust)

      Either reveal is bad for national security, so they truly shouldn't say more. I personally haven't used Kapersky ever, as it was a 100% Russian product with root capabilities (well, on windows everything has

      • Suppose that the information was retrieved from the SSL connection to Kapersky's servers.

        No one is asking them for info on how they may have got the stuff. All we want is *the* stuff. They will never divulge details [possibly] because this information is fake.

    • by h4ck7h3p14n37 ( 926070 ) on Friday August 25, 2017 @01:38PM (#55084737) Homepage

      Back during the Cuban Missile Crisis President Kennedy put forward the U-2 photos showing the missile sites. He didn't hide behind the whole sources and methods thing.

      If someone's not willing to present their evidence, then you probably shouldn't trust them unless they have demonstrated they can be trusted. The three letter agencies have all demonstrated they cannot be trusted.

  • by danlor ( 309557 ) on Friday August 25, 2017 @10:34AM (#55083141) Homepage

    This time is no different. There is tons of smoke, and a despot with his hand near the wheel. Regardless of whether or not there is currently corruption, there is nothing stopping it from happening undetected in the future. We have been debating this situation here, at the executive level for over a year. I have been steadfastly against making a change (We use Kaspersky), but at a certain point it comes down to putting your name on the line certifying Kaspersky as safe. Are you comfortable with that? I'm not. So I had to give in. I'm not going to put my job on the line for a commodity security software.

    • by green1 ( 322787 )

      But what software are you comfortable putting your name on the line certifying as safe? and is it really any more likely to be safe than Kaspersky?

      • by danlor ( 309557 )

        You are missing the point. To continue using Kaspersky REQUIRES I put my name on the line to certify it. This is not required of other solutions as they are not suspect or staffed with ex KGB agents. Before this bullshit I considered that a plus as it demonstrated skills needed.

        • by green1 ( 322787 )

          Yep, better to be completely ignorant of any risk, rather than properly weigh the consequences.

  • It's about risk (Score:5, Insightful)

    by Oswald McWeany ( 2428506 ) on Friday August 25, 2017 @10:38AM (#55083167)

    You don't have to prove that Kaspersky is in bed with Russian intelligence to not want to use it for government computers.

    Merely suspecting it might be is enough reason not to use it.

    • Comment removed based on user account deletion
    • Re: (Score:3, Funny)

      by Anonymous Coward
      TFA: The burden of proof is on US intelligence agencies.
      New Slashdotters: No, the burden of proof falls on Kaspersky labs.
      Old Slashdotters: Anti-virus is a virus. Use Linux, not cloud services.
      Me: Maybe if I produce a pithy summary, I'll get modded up.
      Moderators: I would have, but then you revealed your true motives.
      You: Why am I still reading this comment?
      Your subconscious mind: Seriously, why are you still reading it?
      US intelligence agents: He's still reading stupid Slashdot comments. Can we please
    • You dont have to prove that ALL softwate developper in the U.S. is in bed with the cia/nsa to not want to use it, it is about risk. And thus you condemned all country to reinvent the wheel as no software whatsoever is trustable.
  • by Anonymous Coward

    I have the info on why nobody should be using Kaspersky's software, and I don't have any classified intell. I'm about to tell you something that you've probably already known for 20 years:

    Virus scanners are bullshit. If your security relies on executing totally untrusted code but hoping to have checked it against a blacklist first, then you have already lost. Your solution is stupid and you're a stupid person for thinking it might have worked.

    The way to protect against viruses is to not run any code that

    • The way to protect against viruses is to not run any code that you have no reason to trust.

      The problem with that is that it means that you can't use any software that you didn't write yourself, wasn't written by a person you know and trust, or that you didn't carefully examine the source to.

    • I got bad news for you, AC: YOU ARE VIOLENTLY STUPID AND UNINFORMED. Otherwise legit software and websites can be compromised into being malware. Even I once went to download drivers for a piece of hardware from the manufacturers own website and antivirus flagged the download as containing a trojan; or are you going to say that a well-known manufacturer of computer hardware was complicit? Antivirus/antimalware is like carrying a parachute with you on a small airplane; you're not planning on jumping out and
      • by HiThere ( 15173 )

        Well, you've got two problems there...make that three.
        1) False positives. Just because something is flagged as a virus/trojan/etc. doesn't mean it really is, just that it has a high probability of being one. (And, of course, there are also false negatives.)
        2) The manufacturer's site could be infected.
        3) The manufacturer could be intentionally shipping spyware embedded in their product. (I've seen EULAs where they demanded the right to do so.)

        Then there's problem 4:
        4) The anti-virus could, itself, be som

    • The way to protect against viruses is to not run any code that you have no reason to trust. If you are having unprotected sex with a dozen strangers per day, you are going to get an STD even if you ask each stranger "hey, have you been checked out lately?" before each encounter.

      Hey look, another Linux user that thinks s/he's totally safe from viruses because he somehow knows better.*

      If we're going to talk about cybersecurity like we're really talking about sex, with terms like 'monogamy' and 'condoms', then the closest correct analogy I can give you is that your workplace is your home, every single co-worker is your wife, and the servers are your bed.

      Your wife is generally pretty honest but sometimes she hears the call of the void and sleeps around, just this one time because you

      • by HiThere ( 15173 )

        Running Linux alone does not suffice. You also need to avoid the installation of Flash, to avoid javascript, and a few other choices...like not installing applications you don't need. Even that isn't 100% protection, but that's not available anywhere on the planet, probably anywhere in the universe.

        If you want to be even more secure (this thing is layered) run some version of BSD with the same restrictions. And then you run the applications that you need to run in a virtualized environment. And that's n

    • End of discussion. How many people compiled that SSL code? Millions. How many people actually read it. Apparently not too goddamn many.

  • They're worried about Made-in-Russia software running on Made-in-China hardware/firmware? HAHAHAHAHAHA.....
    • by green1 ( 322787 )

      For the average person, that's far better than trusting Made in USA hardware and software.

      Both are likely spying on you, but at least the Russians and Chinese are unlikely to drag you out of bed in the middle of the night if you say something they don't like.

    • by HiThere ( 15173 )

      You can only sue the US government (in a US court) if you first get their permission.

      • by mark-t ( 151149 )
        Fine. Don't not sue, charge them criminally. Their only out is to then admit that is an opinion only.
  • The problem that officials face is what to do with imperfect information. In the current environment, Russians messing with the U.S. election, an America-First President, and recent overseas terrorist attacks, who is going to decide not to act on even thin information? I doubt that the actual decision makers are most corporations are in a position to second-guess the U.S. government. The whole thing could just be thin information steamrolling because nobody wants to be the one to put a stop to things.
    • by HiThere ( 15173 )

      The evidence, IIUC, was not "Russians messing with the U.S. election", it was "someone using a Russian IP address messing with the U.S. election". So it *could* have been Russians, and it *could* have been the Russian government. But the IP address could have been spoofed. It could have been a hacker working under contract. Etc.

  • by JohnFen ( 1641097 ) on Friday August 25, 2017 @10:51AM (#55083285)

    White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec.

    No need to worry. Most Americans don't take anything the White House has to say seriously, anyway.

  • They put up. They said that they don't trust them, and that's all they need do. They'd do the same for any other anti-virus product that they didn't trust.

    End of Report, end of discussion.

  • I never worry that a Russian company is going to steal my ideas and compete against me for actual paying customers. Chinese or American companies I worry about. Getting fucked by a stupid American patent is something I definitely worry about and thanks to the NSA and now CIA I'm very concerned about made in the USA or even passed reasonably close to the USA. If Kaspersky was (and I doubt it) completely compromised by the Russian secret service then they seem to be doing a good job keeping it a secret. M
  • What if the NSA wants to make an exploit but needs help of anti-virus and network security vendors to keep the exploit secret. It is one thing to build something that works today and is undetectable it is quite another to make it undetectable 10 years from now when someone reboots a compromised VMware image and a traffic monitoring equipment starts inspecting the traffic out of the virtual machine. Does this mean Kaspersky is the only vendor not tainted by the NSA?
  • There are consequences to being based in a country that, as a matter of normal practice, considers its companies to be an extension of the state. The question isn't so much; "do you trust Kaspersky" as "do you trust Putin's Russia" For me the answer is no! Does anyone believe that Kaspersky could resist a full out press from Putin for nefarious use of Kaspersky's huge power? He could only use it once and Kaspersky would be destroyed so there would never be evidence of it until a one-time use of the silver b
  • by WindBourne ( 631190 ) on Friday August 25, 2017 @12:38PM (#55084289) Journal
    The last thing that the intelligence world wants to do is tell every tom, dick, and harry out here how it spies on other nations and how it catches ppl/organizations.
    I am amazed at all of the idiots calling for NSA to out themselves for what they do LEGALLY.
    Even now, look at what is going on with trump investiation. Trump/family/admin continue to make a statement that is a lie. So, NSA will release a peice of evidence that refutes those lies, along with offers up another clue. Now, why do they not simply dump all of their data on ppl like Trump, Pence, Bannon, etc for their treason? Because to do so, would allow Russia and China to figure out how we spy on their spies and then get around us. That would be a disaster. The best thing that happens is when these top nations have inside information about POLICY/WHY, but not about the HOW. This has prevented a number of wars. But, once a nation like China get the HOW, then it will lead from this China's cold war with the west, to a full blown hot war, which could lead to nukes.
    REAL BAD IDEA.
    • by sl3xd ( 111641 )

      It's almost like we have people who are shocked - SHOCKED - that intelligence agencies keep secrets, and have good reasons to continue to do so.

  • While Rashid is right to challenge the Russophobic line inherent in this story (which draws from and is a repeat of the 'Russiagate' lies meant to distract the public from Hillary Clinton's 2nd presidential campaign loss and unwillingness to take sole credit for her choices which led to and explain that loss and stoke fear which could lead to war with Russia), Rashid misses the point that there is a great reason to reject Kaspersky's software: it's nonfree (user-subjugating, proprietary) software. This is t

  • Meanwhile .... major US communication network management systems are written by Ukrainian and Russian developers and not a peep. My cynical thoughts on Kaspersky: I'd rather another government have access to my data than my own.

news: gotcha

Working...