'US Intelligence Agencies Should Put Up Or Shut Up With Kaspersky Rumors'

itwbennett writes: As previously reported on Slashdot, U.S. intelligence agencies have warned against using Kaspersky software amid swirling rumors of ties between Kaspersky Lab executives and the Russian government. White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec. 'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products. The fact that the government hasn't done so makes it likely this is all just geo politics,' writes Rashid. 'There is enough FUD in the market without throwing in politics into decision-making. Organizations should focus on deploying the technology which best addresses their needs.'

I'm thinking its just like the FCC DDOS

[Revek]

Not an outright lie, more like some ignorant interpretation of the facts. A straw man to distract people from the Illegal hacking that our own government does to 'protect' us.

Re:

[Beerdood]

Any sort of condemnation of a tech company by a U.S. Intelligence agency should be easily spun into a positive selling feature for said company. If the CIA / NSA / 3 letter agency is publicly denouncing your organization, then it's almost certain that they're unable to install their backdoors / rootkit / keyloggers on whatever that company has to sell.

I don't trust any AV company that...

[Anonymous Coward]

...has its corporate base in a country with a government. That is because it 1) can be manipulated by the government, or 2) IS the government.

Because if that I only use free, open source AV.

Re:

[chainsaw1]

The absence of counterclaims is because we don't attack very often. The command chain authority for a cyber offensive (OCO) is similar to that for a nuclear strike. Further, US legal definitions of cyber attacks require physical loss or human disability or death. This is a much higher bar than other countries.

Look up:
https://law.yale.edu/system/fi... [yale.edu]

If you have access to Joint Knowledge Online (DoD), find the class on Cyber legal framework (unclass) which will lay all this out in gory detail.

Re:

[chainsaw1]

Sorry to reply to self, but part of the reason why the command authority is so strict is is because USCYBERCOM is currently under USSTRATCOM (Strategic Combatant Command). The news articles stating that USCYBERCOM gets "elevated" means that USCYBERCOM basically take it out of this position and is elevated to a peer. This should allow USCYBERCOM to better alter its rules of engagement.

Re: I'm thinking its just like the FCC DDOS

[dougdonovan]

rob. you are so in over your head.

Re:

[Anonymous Coward]

Good Lord, is RT now posting to /.?

I mean sure, /. sold out a long time ago and when Dice sold them we all know it was going to an astro-turfing company...

But is really got sold to RT? Well, at least that explains the ridiculous lies and support for fascism, trump and tin-foil hats in general

what a cluster fuck

Re:

[Anonymous Coward]

Pro-tip Ivan, use an American-English spell check before posting. It will go a long way to cover your Russian troll army roots.

NBD

[PopeRatzo]

makes it likely this is all just geo politics

"Just" geopolitics. I like that.

It's merely two countries with vast nuclear arsenals and unstable leaders trying to destabilize each other. What could go wrong?

Story link not included in summary

[daveschroeder]

http://www.csoonline.com/artic... [csoonline.com]

Re:

[sexconker]

Look to the right of the headline. They made this change a while back. Yes, it's stupid.

The government will use a well known line...

[bogaboga]

'If the government has any evidence -- or even compelling reasons for being suspicious -- it should be sharing that, because many companies and consumers rely on Kaspersky Lab products.

While I wholeheartedly agree with this statement, I will not be surprised if this administration uses the line, "Sharing more of what we already have divulged, will be tantamount to giving up our sources and methods.

BTW, this line was used by Obama administration as well, when they were talking about Russian involvement in last year's elections.

How it makes sense, I cannot figure out.

Re:

[mark-t]

It makes perfect sense if it was actually a complete fabrication

Re:

[Mr D from 63]

BTW, this line was used by Obama administration as well, when they were talking about Russian involvement in last year's elections.

How it makes sense, I cannot figure out.

I recall that. If one wants the gov to 'put up or shut up' regarding evidence for Kapersky, they should want the same regarding evidence regarding Trump and Russia, but the media seems to be fine with insinuations, a lot more to assume that way.

Re:

[Anonymous Coward]

I believe there is an investigation right now into whether there is evidence of collusion between Trump and Russia.

Re:

[93 Escort Wagon]

I believe there is an investigation right now into whether there is evidence of collusion between Trump and Russia.

You are being entirely too sensible - knock it off.

Re:

[Gr8Apes]

Suppose that the information was retrieved from the SSL connection to Kapersky's servers. If so, then they'd have admitted that they either have compromised Kapersky's certificates (unlikely) or they have a standard MITM attack vector for all SSL connections (a lot more likely, as it's based on trust)

Either reveal is bad for national security, so they truly shouldn't say more. I personally haven't used Kapersky ever, as it was a 100% Russian product with root capabilities (well, on windows everything has

Re:

[bogaboga]

Suppose that the information was retrieved from the SSL connection to Kapersky's servers.

No one is asking them for info on how they may have got the stuff. All we want is *the* stuff. They will never divulge details [possibly] because this information is fake.

Re:

[Gr8Apes]

If the only way to get said information is to break SSL....

Re:The government will use a well known line...

[h4ck7h3p14n37]

Back during the Cuban Missile Crisis President Kennedy put forward the U-2 photos showing the missile sites. He didn't hide behind the whole sources and methods thing.

If someone's not willing to present their evidence, then you probably shouldn't trust them unless they have demonstrated they can be trusted. The three letter agencies have all demonstrated they cannot be trusted.

Rarely do we get all the info we need

[danlor]

This time is no different. There is tons of smoke, and a despot with his hand near the wheel. Regardless of whether or not there is currently corruption, there is nothing stopping it from happening undetected in the future. We have been debating this situation here, at the executive level for over a year. I have been steadfastly against making a change (We use Kaspersky), but at a certain point it comes down to putting your name on the line certifying Kaspersky as safe. Are you comfortable with that? I'm not. So I had to give in. I'm not going to put my job on the line for a commodity security software.

Re:

[green1]

But what software are you comfortable putting your name on the line certifying as safe? and is it really any more likely to be safe than Kaspersky?

Re:

[danlor]

You are missing the point. To continue using Kaspersky REQUIRES I put my name on the line to certify it. This is not required of other solutions as they are not suspect or staffed with ex KGB agents. Before this bullshit I considered that a plus as it demonstrated skills needed.

Re:

[green1]

Yep, better to be completely ignorant of any risk, rather than properly weigh the consequences.

It's about risk

[Oswald McWeany]

You don't have to prove that Kaspersky is in bed with Russian intelligence to not want to use it for government computers.

Merely suspecting it might be is enough reason not to use it.

Re:

[Oswald McWeany]

I didn't say Israel tech would be safe! (depends what it is).

Something like firewall, malware or antivirus, should ideally be developed domestically from trusted vetted sources. If I were Russia I'd be doing the same (not using American products).

Re:

[hierofalcon]

As was said, it doesn't matter what virus product you are using. If any of them can be compromised in a critical moment or day in history to include critical system files in a virus database and have that virus definition update pushed out to your countries computers, then damage will be potentially be done if you are using their product to protect your systems. Perhaps you have policies to only check virus databases on test systems before pushing them to the live systems in your company thus introducing a

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

TFA: The burden of proof is on US intelligence agencies.
New Slashdotters: No, the burden of proof falls on Kaspersky labs.
Old Slashdotters: Anti-virus is a virus. Use Linux, not cloud services.
Me: Maybe if I produce a pithy summary, I'll get modded up.
Moderators: I would have, but then you revealed your true motives.
You: Why am I still reading this comment?
Your subconscious mind: Seriously, why are you still reading it?
US intelligence agents: He's still reading stupid Slashdot comments. Can we please

Re:

[HiThere]

For government computers, yes. For your own??? Which government is more likely to be a threat to you?

It's about risk

[aepervius]

You dont have to prove that ALL softwate developper in the U.S. is in bed with the cia/nsa to not want to use it, it is about risk. And thus you condemned all country to reinvent the wheel as no software whatsoever is trustable.

We already know why Kaspersky is untrustworthy

[Anonymous Coward]

I have the info on why nobody should be using Kaspersky's software, and I don't have any classified intell. I'm about to tell you something that you've probably already known for 20 years:

Virus scanners are bullshit. If your security relies on executing totally untrusted code but hoping to have checked it against a blacklist first, then you have already lost. Your solution is stupid and you're a stupid person for thinking it might have worked.

The way to protect against viruses is to not run any code that

Re:

[JohnFen]

The way to protect against viruses is to not run any code that you have no reason to trust.

The problem with that is that it means that you can't use any software that you didn't write yourself, wasn't written by a person you know and trust, or that you didn't carefully examine the source to.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Rick Schumann]

I got bad news for you, AC: YOU ARE VIOLENTLY STUPID AND UNINFORMED. Otherwise legit software and websites can be compromised into being malware. Even I once went to download drivers for a piece of hardware from the manufacturers own website and antivirus flagged the download as containing a trojan; or are you going to say that a well-known manufacturer of computer hardware was complicit? Antivirus/antimalware is like carrying a parachute with you on a small airplane; you're not planning on jumping out and

Re:

[Rick Schumann]

LOL no, it's AV on a machine provided by the major microprocessor manufacturer I work for, numbskull, and the company I was downloading from acknowledged they'd been breached.

Re:

[HiThere]

Well, you've got two problems there...make that three.
1) False positives. Just because something is flagged as a virus/trojan/etc. doesn't mean it really is, just that it has a high probability of being one. (And, of course, there are also false negatives.)
2) The manufacturer's site could be infected.
3) The manufacturer could be intentionally shipping spyware embedded in their product. (I've seen EULAs where they demanded the right to do so.)

Then there's problem 4:
4) The anti-virus could, itself, be som

Re:

[Rick Schumann]

See above: https://slashdot.org/comments.... [slashdot.org]

Re:

[quintus_horatius]

The way to protect against viruses is to not run any code that you have no reason to trust. If you are having unprotected sex with a dozen strangers per day, you are going to get an STD even if you ask each stranger "hey, have you been checked out lately?" before each encounter.

Hey look, another Linux user that thinks s/he's totally safe from viruses because he somehow knows better.*

If we're going to talk about cybersecurity like we're really talking about sex, with terms like 'monogamy' and 'condoms', then the closest correct analogy I can give you is that your workplace is your home, every single co-worker is your wife, and the servers are your bed.

Your wife is generally pretty honest but sometimes she hears the call of the void and sleeps around, just this one time because you

Re:

[HiThere]

Running Linux alone does not suffice. You also need to avoid the installation of Flash, to avoid javascript, and a few other choices...like not installing applications you don't need. Even that isn't 100% protection, but that's not available anywhere on the planet, probably anywhere in the universe.

If you want to be even more secure (this thing is layered) run some version of BSD with the same restrictions. And then you run the applications that you need to run in a virtualized environment. And that's n

Heartbleed

[ArchieBunker]

End of discussion. How many people compiled that SSL code? Millions. How many people actually read it. Apparently not too goddamn many.

What about Chinese hardware?

[gti_guy]

They're worried about Made-in-Russia software running on Made-in-China hardware/firmware? HAHAHAHAHAHA.....

Re:

[green1]

For the average person, that's far better than trusting Made in USA hardware and software.

Both are likely spying on you, but at least the Russians and Chinese are unlikely to drag you out of bed in the middle of the night if you say something they don't like.

Why can't they sue for slander/libel?

[mark-t]

[nt]

Re:

[HiThere]

You can only sue the US government (in a US court) if you first get their permission.

Re:

[mark-t]

Fine. Don't not sue, charge them criminally. Their only out is to then admit that is an opinion only.

Decision in the Face of Uncertainty

[Artagel]

The problem that officials face is what to do with imperfect information. In the current environment, Russians messing with the U.S. election, an America-First President, and recent overseas terrorist attacks, who is going to decide not to act on even thin information? I doubt that the actual decision makers are most corporations are in a position to second-guess the U.S. government. The whole thing could just be thin information steamrolling because nobody wants to be the one to put a stop to things.

Re:

[HiThere]

The evidence, IIUC, was not "Russians messing with the U.S. election", it was "someone using a Russian IP address messing with the U.S. election". So it *could* have been Russians, and it *could* have been the Russian government. But the IP address could have been spoofed. It could have been a hacker working under contract. Etc.

No need to worry

[JohnFen]

White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec.

No need to worry. Most Americans don't take anything the White House has to say seriously, anyway.

They already did....

[bobbied]

They put up. They said that they don't trust them, and that's all they need do. They'd do the same for any other anti-virus product that they didn't trust.

End of Report, end of discussion.

Worry about competing with Russian - NOT

[FeelGood314]

I never worry that a Russian company is going to steal my ideas and compete against me for actual paying customers. Chinese or American companies I worry about. Getting fucked by a stupid American patent is something I definitely worry about and thanks to the NSA and now CIA I'm very concerned about made in the USA or even passed reasonably close to the USA. If Kaspersky was (and I doubt it) completely compromised by the Russian secret service then they seem to be doing a good job keeping it a secret. M

Keeping Exploits Secret

[FeelGood314]

What if the NSA wants to make an exploit but needs help of anti-virus and network security vendors to keep the exploit secret. It is one thing to build something that works today and is undetectable it is quite another to make it undetectable 10 years from now when someone reboots a compromised VMware image and a traffic monitoring equipment starts inspecting the traffic out of the virtual machine. Does this mean Kaspersky is the only vendor not tainted by the NSA?

Re:

[HiThere]

You misunderstand.

If they don't give *ME* evidence, why should *I* trust them. They don't have a very good track record for trustworthiness.

When a liar tells you something, it might be true. But since you know he's a liar you shouldn't readily believe him without evidence.

Re:

[green1]

As opposed to all the American companies that couldn't possibly be used by American government agencies for "all sorts of purposes"?

Let's be real here. Assume all software and hardware is likely spying on you. Now chose which country is least likely to have jurisdiction to make your life miserable if you say something they don't like. I don't live in Russia, and I'm unlikely to visit there, so I'd rather their government were spying on me than the American one, because the USA seems to think it has jurisdic

Consequences

[Pat Ferrel]

There are consequences to being based in a country that, as a matter of normal practice, considers its companies to be an extension of the state. The question isn't so much; "do you trust Kaspersky" as "do you trust Putin's Russia" For me the answer is no! Does anyone believe that Kaspersky could resist a full out press from Putin for nefarious use of Kaspersky's huge power? He could only use it once and Kaspersky would be destroyed so there would never be evidence of it until a one-time use of the silver b

tired of ppl wanting intel world to out self.

[WindBourne]

The last thing that the intelligence world wants to do is tell every tom, dick, and harry out here how it spies on other nations and how it catches ppl/organizations.
I am amazed at all of the idiots calling for NSA to out themselves for what they do LEGALLY.
Even now, look at what is going on with trump investiation. Trump/family/admin continue to make a statement that is a lie. So, NSA will release a peice of evidence that refutes those lies, along with offers up another clue. Now, why do they not simply dump all of their data on ppl like Trump, Pence, Bannon, etc for their treason? Because to do so, would allow Russia and China to figure out how we spy on their spies and then get around us. That would be a disaster. The best thing that happens is when these top nations have inside information about POLICY/WHY, but not about the HOW. This has prevented a number of wars. But, once a nation like China get the HOW, then it will lead from this China's cold war with the west, to a full blown hot war, which could lead to nukes.
REAL BAD IDEA.

Re:

[sl3xd]

It's almost like we have people who are shocked - SHOCKED - that intelligence agencies keep secrets, and have good reasons to continue to do so.

Reject Kaspersky for the right reasons: nonfree SW

[jbn-o]

While Rashid is right to challenge the Russophobic line inherent in this story (which draws from and is a repeat of the 'Russiagate' lies meant to distract the public from Hillary Clinton's 2nd presidential campaign loss and unwillingness to take sole credit for her choices which led to and explain that loss and stoke fear which could lead to war with Russia), Rashid misses the point that there is a great reason to reject Kaspersky's software: it's nonfree (user-subjugating, proprietary) software. This is t

Meanwhile...

[endoflife]

Meanwhile .... major US communication network management systems are written by Ukrainian and Russian developers and not a peep. My cynical thoughts on Kaspersky: I'd rather another government have access to my data than my own.

Re:

[Rick Schumann]

if you install Kaspersky you are a sucker, like Moscow Donald's supporters

The correct term is 'useful idiot', get it right next time.

IN ALL SERIOUSNESS: I agree with TFA; if there is actual, independently verifiable PROOF that it's compromised by design, then the Feds should release that information. Alternately there are plenty of 'IT security researchers', and 'white hats' and plain old 'hackers' in this country (U.S.) that are more than capable of verifying whether it's spyware or not, with or without government help; where the hell are they with their reports on this?

Re:Kaspersky = KGB

[Entropius]

How are you going to verify if it's spyware or not?

Most likely the software is programmed to download automatic updates. This means that it could go from being benign to being a trojan overnight -- for whichever subset of IP addresses the people running the update servers want.

It's impossible to audit the security of autoupdating code; you're at the mercy of whoever controls the updates.

Re:

[HiThere]

So the question is, "Who is more dangerous to you, personally, the KGB or the CIA/FBI/NSA?".

And that's assuming that I accept your assertion which, I admit, is plausible.