
Kaspersky Lab Has Been Working with Russian Intelligence - secfirstmd
https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence
======
gtirloni
The article seems a bit hyperbolic to me. Expecting a major Russian
cybersecurity company not to have any business with its own government is a
bit naive. Not all government business is spying and unlawful activities.

From what Bloomberg is sharing with us (I couldn't find those emails),
Kaspersky is developing a software solution with defensive and offensive
capabilities as well as providing consultancy services to the FSB in hunting
down criminals (Bloomberg says Kaspersky is "banging down doors").

~~~
muninn_
Right. Why would anybody be surprised by this knowing full well that American
companies do the same?

~~~
ProAm
Because the Russians are the bad guys. /s

~~~
mwfunk
I didn't believe this as a child in the '80s, but in the last 10 years at
least, Putin's Russia has been freaking horrifying to me. So yeah, they aren't
the world's only bad guys, and they're probably not the worst, but it's not
for lack of trying. Putin's vision of Russia doesn't even try to avoid looking
comically sinister. I honestly don't see how anyone who isn't wrapped up in
self-interested religious or ethnic nationalism could see it any other way.

~~~
linkregister
The problem with that viewpoint is to treat Russia as a monolithic entity.
Despite military aggression and political and speech repression by the ruling
_junta_ , there is still a vibrant and mostly functional economy.

Kaspersky providing services to the FSB (which is kind of like NIST, FTC, FCC,
FBI, and DHS all in one) is little different to Cisco or IBM providing
consulting services for the respective U.S. agencies.

Political conflict has always been this way, it's just more apparent now that
trade information is widely accessible.

To compare, Japanese companies traded with the U.S. up until the 1941
invasion, despite significant political conflict between the two countries
over Manchuria and the colonies in Southeast Asia.

~~~
freehunter
I don't think it's entirely unfair. We know that the Russian government
sponsors cyber attacks. They're not the only ones, we know the USA and China
and North Korea and Israel and probably every other country does too. It all
has to be taken into account.

If I buy Cisco gear, what's the likelihood that it has an NSA tap in it? [1]
If I buy Check Point gear, what's the likelihood that it has a Mossad tap in
it? [2] If I buy Kaspersky software, what's the likelihood that it has an FSB
tap in it? Who would I rather be spied on by?

Does it change the risk rating if we know we're under active attack by a
particular country? As someone who works for a major tech company, I can tell
you Snowden's information about the NSA cut deeply into the trust we had built
up with our foreign customers.

It is entirely fair to judge a Russian security company based on the actions
of their government related to cyber attacks. Especially considering the not-
entirely-democratic government of Russia does not allow private sector
companies to be entirely private sector.

[1] [https://www.engadget.com/2016/08/21/nsa-technique-for-
cisco-...](https://www.engadget.com/2016/08/21/nsa-technique-for-cisco-
spying/)

[2]
[http://greatcircle.com/firewalls/mhonarc/firewalls.199707/ms...](http://greatcircle.com/firewalls/mhonarc/firewalls.199707/msg00223.html)

~~~
linkregister
Your point is undermined by your links. The first describes a _remote network
exploit_ , which is not developed by coöperation or coercion. Exploits take
advantage of a software vulnerability to insert additional capabilities
(espionage). I think you wanted to find a link describing the process of
_interdiction_ , which was implied to exist in the Snowden documents.

The second link is just a public denial by Check Point. I'm not sure why
you're implying these companies coöperate with their governments. A discovered
back door would destroy Kaspersky, Huawei, Cisco, Check Point, etc.; nobody
would renew their contracts with that massive loss of trust.

I do think you raise an excellent point. The actual reality that these
companies aren't providing back doors is not relevant when the _perception_ is
that they are. The greatest risk is not coöperation, but of remote
exploitation of the software. It turns out that there are a few major
countries known for conducting network exploitation campaigns, unrelated to
the country of origin of the target software. Just as the Stuxnet guys were
almost certainly not German, yet they had a vulnerability in Siemens software,
and the NotPetya authors didn't exert physical influence over ME.Doc in
Ukraine, attackers have little to do with where the software was built.

As long as a government acts "scary", however, it makes companies feel less
secure in the software, which affects sales. I'm not singling out software and
hardware procurement officers; the "feels = reals" phenomenon is a human
condition.

~~~
jacquesm
> A discovered back door would destroy Kaspersky, Huawei, Cisco, Check Point,
> etc.; nobody would renew their contracts with that massive loss of trust.

Given that a backdoor could look like an undiscovered exploit I fail to see
how the one would result in the other, besides that where will you turn? To
one of the other parties... Consider this the present situation and almost
nobody has moved away from their vendors. Except maybe Juniper (not in your
list) I don't see any of these brands as damaged (yet).

~~~
linkregister
I don't think any credible vulnerability researcher would conclude any of
those companies' software vulnerabilities were back doors. If you know of one,
please let me know.

All of these companies write software in languages that require the programmer
to track memory management and bound their own copies. The probability that
software written in languages like that will generate a memory corruption
vulnerability is extremely high.

Has Juniper actually been damaged by the backdoored source code scandal (which
is the only genuinely back doored American company I can think of)?

This report claims a 5% YoY net revenue increase, along with higher GAAP
profit. [http://investor.juniper.net/investor-relations/press-
release...](http://investor.juniper.net/investor-relations/press-
releases/press-release-details/2017/Juniper-Networks-Reports-Preliminary-
Fourth-Quarter-and-Fiscal-Year-2016-Financial-Results/default.aspx)

------
marcusjt
Whatever next? Have American AV companies been "Working with American
Intelligence"? That would be just as shocking... ;)

~~~
pjc50
Thanks to the wonders of the free market, you can choose which global
intelligence service you want your software to be compromised to!

(I'm not even sure if this is a joke)

~~~
LarryPage
Or you can put off such decisions, and be compromised by all!

------
technologia
No shit. This isn't really news, as a few others point out that companies
generally tend to work with their respective country's government. You won't
see Kaspersky AV on a US government workstation and you won't see McAfee on
any of their workstations for example.

~~~
Bartweiss
The real news here, the part that makes the US government care, is "As many as
200 million [people] may not know [they use Kaspersky]."

Businessweek buried the lede (potentially-compromised firmware in devices you
don't realize carry it) behind the blatantly-obvious (AV companies are not
government-independent). Well, that and Kaspersky may have been lying about
what connections they _do_ have, but frankly that's not surprising either.

------
commenter98456
He who smelt it dealt it?

Crowdstrike, FireEye ,Cobaltstrike,symantec,etc... are they CIA fronts as
well?

As an american, why would I trust the CIA/NSA over the SVR/GRU? I wish I
didn't have to ask that. but the fact is, and I'm sure some will agree - It is
the CIA/NSA machine that can make my life here in America hell, not the
SVR/GRU.

I can understand the concern when it comes to critical infrastructure and
government software. However in the private sector and for individuals - "A
tyrant 3000 miles away" is less of a threat than "3000 tyrants a mile a way".

~~~
adventured
> As an american, why would I trust the CIA/NSA over the SVR/GRU?

Because one is tasked - _in theory_ \- with protecting you, the other is
tasked solely with protecting Russians (at your expense as necessary). It's
that simple. And if you're going to claim the NSA never does anything to keep
Americans safe, it would degrade your credibility toward zero.

~~~
commenter98456
They do plenty to protect what they consider is worthy of protection. which
often leaves me out. Protection in their sense includes depriving me of basic
rights and freedoms (so long as I'm "Safe").

It's not their official duties that I find dubious but their historical and
ongoing ignorance of them. If they simply did their job I wouldn't even need
to ask that question.

I'd probably ask the same of SVR/GRU if I lived in Russia.

If the NSA/CIA were doing their job, they wouldn't spy on their own people and
they certainly wouldn't make secret deals with security companies and
inflitrate their ranks to have a strategic advantage. Letting security
companies independently do their job would be "protecting America" backdoors,
hoarding exploits, influencing weak crypto,etc... I'm sorry but the russians
don't even have the ability to do some of that even if they have the will.

GRU or NSA for both "ends justify means" , if you're on the "ends" side, pick
software backdoored by your home country. if you're on the "means" side, pick
the other guy.

I suppose it's time to consider what "collateral damage" in the sense of
geopolitical computer security is.

------
projectramo
Thank goodness we don't have to worry about the big tech companies working
with intelligence services in the USA.

------
captainmuon
Before we entered The Darkest Timeline, NSA used to be known for helping
American companies with their encryption and cybersecurity, and preventing
corporate espionage.

I'm one of the first when it comes to criticizing overreach of governments and
intelligence agencies, but I do recognize that they do a lot of legitimate and
positive work.

~~~
the-dude
Preventing corporate espionage : priceless!

"The paper said the agency "lifted all the faxes and phone-calls between
Airbus, the Saudi national airline and the Saudi Government" to gain this
information."

Agency : NSA.

[http://news.bbc.co.uk/2/hi/europe/820758.stm](http://news.bbc.co.uk/2/hi/europe/820758.stm)

~~~
captainmuon
Well, prevent espionage from other countries on US firms of course. And there
is always the discrepancy between stated goals and reality.

------
DarkKomunalec
As always, any implication that all closed-source software, regardless of
company, suffers from similar issues, is conveniently absent. Just as it was
during the VW emissions scandal - it's the _cheating_ that was problematic,
not that consumers are effectively in the dark about how most of their
products operate, and deliberately prevented (successfully or not) from
finding out (personally, or done on their behalf by others).

~~~
hellbanner
Do you think because the implications of open-source software would threaten
the economic model & world that the writer lives in?

Or that it's just an oversight and they just want to earn clicks? I think it's
the latter, even if it's in effect the former (unintentioally).

~~~
DarkKomunalec
I don't think _this_ writer omitted it intentionally. I think it's because
journalists that are too at-odds with corporate (or other dominant narrative)
just have a harder time in their career. No-one gets censored, except in rare
cases - they just don't have their contract extended. See
[https://cartoonistsrights.org/u-s-cartoonist-fired-after-
cri...](https://cartoonistsrights.org/u-s-cartoonist-fired-after-criticizing-
monsanto-and-dupont/) , but I imagine it's usually handled more subtly.

~~~
hellbanner
"In a Facebook post following his firing, Friday wrote that the incident
showed “how fragile our rights to free speech and free press really are in the
country.”"

Indeed.

------
ajarmst
It's hardly odd for a computer security company to seek government contracts.
The released emails don't seem point to anything nefarious (unless merely
working with the FSB is considered nefarious). The remainder is a lot of
"could" and "would be possible" speculation. Conspiracy mongering clickbait.
Moving on.

------
Trickilozis
Of course they have. They are a business based in Moscow. I would be surprised
if they hadn't. They are just too attractive a target for the Kremlin not to
try to co-opt. No idea how any US corporate security team could justify
working with them, quite honestly.

~~~
lawnchair_larry
Do you also have no idea how any non-US security team can justify working with
Microsoft?

------
sebtoast
Anyone has the Reddit thread where Kaspersky posted? I'm curious to read it.

~~~
thephyber
The Kaspersky AMA thread from May of this year:

[https://www.reddit.com/r/IAmA/comments/6ajstf/im_eugene_kasp...](https://www.reddit.com/r/IAmA/comments/6ajstf/im_eugene_kaspersky_cybersecurity_guy_and_ceo_of/)

------
coldtea
Unlike US-based security companies?

~~~
sigsergv
Yes, US-based security companies don't work with FSB.

