US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com) 93
The U.S. General Services Administration has removed Kapersky Lab from its list of approved vendors for federal systems, which also eliminates the discounts it previously offered to state governments. Long-time Slashdot reader Rick Zeman writes:
"The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."
The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."
The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
why the fuck (Score:1)
was russian security software on the gsa in the first place? that's like outsourcing handling of the 'football' and cloud storage of launch codes to the fsb.
Overheard at the FSB... (Score:4, Informative)
"...they're going to use Symantec? Score!"
https://www.us-cert.gov/ncas/a... [us-cert.gov]
How quaint (Score:5, Interesting)
They all cooperate to some degree with all larger governments. They do not have a choice, governments have far too much power simply because they are large customers. Assuming otherwise is exceptionally naive. Of course, there are limits. No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through. They cannot afford that. Making it easier for unknown malware is a different thing. In the end, as long as the exposure-risk for them is small, AV vendors will cooperate with the criminally-minded government agencies that modern governments seem to treasure so much. Governments, unfortunately, are yet again in the process of becoming the enemy of not only their own citizens, just like history never happened.
The one thing we can now be reasonably sure of is that Kaspersky will now stop cooperating with the US government, which, in my book, makes their products better than what the competition has.
Re: (Score:3)
No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through.
http://www.reuters.com/article... [reuters.com]
Re:How quaint (Score:4, Insightful)
Getting subverted by criminal means does not count as "allowing". It counts as having gotten compromised. Anyways, nobody in their right mind will use RSA products for security at this time. They have screwed up far too often in the last few years. (Yes, I am aware their stuff still gets used. Do not expect a working security mind-set anywhere where that is the case....)
Re:How quaint (Score:4, Informative)
The US did consider that for Magic Lantern.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
I am aware of that discussion. What I meant by "known" is "the binaries and signatures are in the public" and that means everybody can find out whether an AV product detects it or not. The negative fallout of not detecting it in that situation would be disastrous for any AV company. Sure, initially, they could claim ignorance, but if they insist on non-detection, that would be another story. Also, somebody has to try the malware against the AV products. Not really difficult, one upload to VirusTotal is enou
Re: (Score:1)
the criminally-minded government agencies that modern governments seem to treasure so much.
We call that normal police co-operation here, in the other side of the world. That said, many US AV vendors generally do co-operate with the US government, while the vendors from independent, small countries tend to avoid that particular hook. $-) (That's my patriotic marketing wink)
And for good reason... (Score:5, Interesting)
The possibility that Kapersky Lab is beholden to the Russian government is real.
Yes, yes, I know the same can be said for American based "security" companies, but it's more likly they are beholden to American spy agencies.
Re: (Score:1)
As history has abundantly demonstrated, being beholden to US TLAs is not necessarily better, certainly not in terms of risk of compromise and mass monitoring of US citizens. -PCP
Re: And for good reason... (Score:2)
"These people," are the government. What are you on about?
Re: (Score:2, Insightful)
Yeah, good thing Hillary wasn't elected. She wouldn't have been a proper doormat for Putin.
Re: (Score:1)
when the next big war starts, a lot of computers all over the world are rapidly going to get pwned.
once computers and the internet become "the enemy" people are just gonna have to turn them off!
as long as people only use computers and the internet for entertainment, everything will be fine. if people start using computers and the internet for important things like critical infrastructure or national defence then there will be big trouble!
Re: (Score:3)
Our network is a critical infrastructure.
Nearly all communication ends up on the internet in some way.
A nation wide internet outage would cripple us, and make us prone to physical attack and demoralized the nation.
This isn't the 1980's where networked computers are used by a few egg heads to discuss Star Trek anymore.
Hmmmmm... (Score:4, Interesting)
"The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
I'm not a security expert, but I don't know that this would necessarily sooth me. For example, perhaps the "backdoor" is devilishly obscured. Or, perhaps future exploits of a particularly tricky and secret nature will mysteriously not be added to whatever library Kaspersky's stuff uses. And then there is the issue of regular software updates, does the US government have to check the code with a fine tooth comb every time - this alone would be problematic.
I mean, come on! To imagine that the Russians would not at least TRY to leverage the Kaspersky install base is ignorant.
Re: (Score:2)
Heck, if you don't compile it yourself with a fully reproducible build process, the source could be a lie.
Re: (Score:2, Interesting)
Depending on the development environment in question, for added fun, you could still have problems [cmu.edu] even if you compile it yourself. On the bright side, things like diverse double compiling [dwheeler.com] might be helpful in this area. -PCP
Re: (Score:2)
Strawman. The USG delisting Kaspersky as an approved vendor in no way impacts what other countries can/will do. The impact of the delisting is limited to USG purchases.
Re: (Score:2)
Not a strawman. He explicitly extends ("using[sic] that logic ...") the paranoid thinking to a logical conclusion. That doesn't mean that you have to agree with that extreme form of paranoia or that he implies that you do.
Re: (Score:2)
Using the "Every country in the world" bit is a ridiculous argument given that the context is explicitly the U.S. delisting a vendor from a country that has been shown to meddle in our election process. The USG delisting kaspersky has absolutely _no_ impact on other countries.
So, yeah, it _is_ a strawman.
Re: (Score:2)
There's a limit to how obscure backdoors can be. At the end of the day, the backdoor has to either initiate or receive a connection, and that gives the game away. The problem is that monitoring connection logs is tedious, boring, and -- if you're paying someone competent -- expensive.
Moreover, the risk/reward for creating and using a backdoor in security software doesn't make sense when the ability to exploit 0-days in the OS itself is so easy. Why blow your own hard-earned reputation when you can blow s
No discount? (Score:5, Funny)
Well then, we'll just switch to the cheaper Chinese stuff.
Re: (Score:2)
Thanks for posting the stupidest thing I've read so far today.
Well duh... (Score:5, Insightful)
Software built by Russian companies is backdoored by Russian spooks.
Software built by American companies is backdoored by American spooks.
Software built by Chinese companies is backdoored by Chinese spooks.
Does this surprise anyone at all?
Re: (Score:2)
"As you know yourself you know others"
Guess the software which really shouldn't be trusted is the American made one ...
How to trust? (Score:3, Interesting)
Re: (Score:1)
No advantage for code security (Score:2)
National origin doesn't matter, people simply can't have full faith in closed source.
People can't have full faith in open source either unless they are either capable of reviewing all the code themselves or can somehow establish a trusted chain of custody for all the code and tools to compile it. Most people cannot do the former and only large organizations realistically have the resources to do the later. There are undeniably huge advantages to open source but code security doesn't stand up to strict scrutiny in real world use for non-trivial use cases. I don't compile my software like
Good work (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
dr.Web (Score:1)
Do as we did in Sweden. (Score:1)
https://www.privateinternetacc... [privateint...access.com]
Only one party voted against outsourcing it outside Sweden, the Sweden democrats. Another party decided to not vote at all, the Left party, possibly they were against it but refused to vote like the Sweden democrats with that result. The rest voted for it. .. and well.. that was good?
Re: (Score:2, Informative)
For those of you not familiar with Swedish politics, the Sweden "Democrats" are anything but. They're right-wing/racist/ultra-nationalist, with their origins in the White Power movement and the Swedish Nazis. (Fun fact: Sweden never outlawed the Nazi Party.) They're a minority in the Riksdag, and every other party with seats refuses to co-operate with them on any matter.
The irony here is that SD are anti-EU and pro-Russian and they're attempting to score political points pretending to be against something t
Re: (Score:1)
For those of you unfamiliar with leftists rhetoric, anyone right of Stalin is a xenophobic Nazi racist literally Hitler sub-human jew.
This is an unfortunate, but also accurate summary of politics in the EU.
Re: (Score:1)
Yeah!? Well here in Oz, you can buy Nazi Goering noodles in almost any supermarket. That's about as Nazi as you can get.
Re: (Score:1)
the Sweden "Democrats" are anything but
DemocracyÂs flaw is that it allow the dictatorship of the majority. If you value the collective more than the individual that's fine. But I have a hard time accepting it. But that's a fact. And the Sweden democrats are just as much democrats as anything else. Any claim for them being anti-democrats beyond valuing the opinion by the Swedes higher than that of the non-Swedes (all national democratic parties should do exactly that) is complete bullshit simply by association.
Regardless Sweden isn't a funct
Re: (Score:2)
Even a stopped clock is right twice a day.
Re: (Score:2)
Fancy you. I just have a broken clock.
Re: (Score:2)
Just the FRA wanting to keep its third party sigint agreement with the NSA, GCHQ.
For that they have to show a good attitude.
Re: (Score:1)
Why all the Russophobia?
Did Russia violate any Swedish interests lately, or are you guys still bitter over 1809?
The left haven't even cared about having a fucking defense whatsoever.
They don't want us to export weapons. They don't want us to make weapons. They don't want us to spend money on the defense. They rather send their most annoying screaming load-mouths over and hope that do the trick I guess.
It's very simple, and it's not even about democracy and rights, you didn't had that in USSR either: For the Swedish communists USSR was good because they were communists. As of right now because communism aren't ruling
Re: (Score:1)
.. kinda telling none of the idiots who commented my comment focused on what had actually happened: That information supposed to be controller by the authorities were leaked abroad but instead focused on the one party which was against allowing that to happen in the first place. .. All focus on the party, none on the actual subject .. .. which also explain how the Swedish parliament & media work, but it's so retarded.
Crap Headline (Score:2)
Better: "US Govt. Removes Kaspersky from Approved Vendors List".
How did Kaspersky get the contracts before? (Score:2)
The US Government MUST of, at-least internally, had discussions about this very subject before all the Russian hacking came around. I mean Kaspersky has been around for at-least a decade, plenty of time to root everyone PC. I am not saying Kaspershy is Putin's lap dog, but I want to know what the discussions were before this whole fiasco happened and what evidence shown that Kaspersky is dangerous now.
I mean it feels like Putin is having us run around in circles while all he is doing is sitting having a
Re: (Score:3)
Must of what? Apples?