
Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them - gvb
https://arstechnica.com/information-technology/2017/11/kaspersky-yes-we-obtained-nsa-secrets-no-we-didnt
======
orf
So an NSA contractor or employee takes confidential/highly sensitive code and
documents home and leaves it on their machine. They then install a pirated
version of Office, after disabling their antivirus software which is telling
them it is infected with a virus and preventing the installation.

Seems like massive incompetence from this user rather than Kaspersky doing
anything malicious, and those files where destined to be leaked somehow the
moment they left the NSA.

I'm sure there are some employees there who may report or leak things to the
Russian government, but I don't buy the narrative that Kaspersky is some evil
Russian cyber hoover. Maybe I'm naive though.

~~~
qaq
You are being naive. You can not operate a business the size of Kaspersky in
Russia without being a part of the the inner circle.

~~~
nasredin
If you want to do bussiness in Russia you will have to deal with organized
crime and or the government which is very often the same people.

~~~
snowpanda
Ok so I know very little about Russia, where would one go to verify that
claim? I'm not disputing it at all, just trying to inform myself.

One of the reasons I ask, is related to Telegram. I'm aware of the crypto
argument. But it seems (from the outside, so could be a complete cover of
course) that Pavel Durov is somewhat taking a stand against their
government[1][2][3]. Is that simply because he has enough money to do so? Or
is it just a show to give people the idea he's taking a stand?

[1] [https://www.reuters.com/article/us-russia-telegram-
security/...](https://www.reuters.com/article/us-russia-telegram-
security/telegram-app-agrees-to-register-in-russia-but-not-to-share-private-
data-idUSKBN19J1RK)

[2] [https://www.neowin.net/news/russian-government-fines-
telegra...](https://www.neowin.net/news/russian-government-fines-telegram-for-
refusing-to-give-up-user-data)

[3] [https://www.deepdotweb.com/2017/10/30/russian-government-
fin...](https://www.deepdotweb.com/2017/10/30/russian-government-fines-
telegram-not-providing-backdoor/)

~~~
qaq
Right after he lost control of his company (FB clone) when he refused to shut
down opposition related groups on it. He openly talked about pressure from FSB
etc. Telegram is not run out of Russia and Durov does not live in Russia. So
if you don't mind loosing all your russian assets and living in exile you sure
can speak out :)

~~~
ryanlol
>Telegram is not run out of Russia and Durov does not live in Russia

FWIW this is bullshit, telegram office in St. Petersburg is literally one
floor below the VK office and Durov is regularly present there.

The whole exile thing is a charade, they’ve gone as far as assaulting people
to try to keep it up
[https://m.lenta.ru/news/2017/03/20/durov/](https://m.lenta.ru/news/2017/03/20/durov/)

------
rando444
Before this article was published I don't think it was alleged that Kaspersky
ever did anything.

All the public knew is that allegedly Israel hacked Kaspersky and noticed the
Russian government using Kaspersky's tools to try and dig out secret
documents.

I mean who knows, maybe the Russian government had a backdoor that they were
abusing, maybe they hacked Kaspersky themselves, or maybe they were just given
access.

I would have given Kaspersky plausible deniability before this article.. now I
just don't believe them.

At face value their explanation sounds reasonable.

However, the original claim is that the Israelis were watching in real-time as
agents searched computers around the world for secret codenames [0]... which
is a world away from the explanation given in the submitted article.

[0] [https://www.nytimes.com/2017/10/10/technology/kaspersky-
lab-...](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-
russia-hacking.html)

~~~
r721
Also this part from WSJ article remains:

"For many months, U.S. intelligence agencies studied the software and even set
up controlled experiments to see if they could trigger Kaspersky’s software
into believing it had found classified materials on a computer being monitored
by U.S. spies, these people said. Those experiments persuaded officials that
Kaspersky was being used to detect classified information."

[https://www.wsj.com/articles/russian-hackers-scanned-
network...](https://www.wsj.com/articles/russian-hackers-scanned-networks-
world-wide-for-secret-u-s-data-1507743874)

~~~
londons_explore
As a spy agency, this is how you put the middle finger up to a a remote spy
agency. You report their malware to an antivirus database.

It's basically saying 'ha ha, we caught you, and now the whole world can look
at what you were up to'.

Presumably, the NSA will have automated monitoring tools scanning every bit of
AV software and AV databases looking for any of their own tools there, so they
know right away when someone has publically outed them.

I wouldn't be surprised if these weren't even hooked up to automated self-
removal logic so that NSA malware could remove itself in seconds worldwide if
an AV database were updated to detect it.

------
r3bl
I have to ask:

Is there any concrete evidence against Kaspersky doing anything remotely
concerning since this whole charade against them started in 2015 or is it
still "they're Russian, so they _must_ be doing something bad" scenario?

EDIT: Fuck if I understand why people like JohnStrange, revelation and ryanlol
are downvoted in their replies to this comment. They're on topic.

~~~
odiroot
Watching US situation from outside it's seems there's an urgent need for some
kind of a bad guy.

Kaspersky is just easy target and apparently three-letter-agencies have means
to steer the media to pursue this direction.

~~~
whoopdedo
Remember last year when Kaspersky accused[1] Microsoft of anti-trust for
disabling their antivirus? And Microsoft admitted it was done in the name of
compatibility.[2] Something about that seemed fishy to me because none of the
other AV venders were complaining. Was Microsoft told to intentionally
sabotage Kaspersky?

[1]
[https://www.computerworld.com/article/3141470/security/kaspe...](https://www.computerworld.com/article/3141470/security/kaspersky-
founder-calls-out-microsoft-for-av-shenanigans.html)

[2] [https://www.theverge.com/2017/6/20/15836208/microsoft-
kasper...](https://www.theverge.com/2017/6/20/15836208/microsoft-kaspersky-eu-
anti-virus-complaint-response)

~~~
londons_explore
That sounds like a legit software incompatibility to me.

Kaspersky was probably using some private API they shouldn't have been using,
and when Microsoft changed the API or changed the way it worked, they had to
disable Kaspersky or computers would no longer boot up.

When companies do that, they nearly always reach out to the affected vendors
with advance warning so the vendor can do a rushed fix, but repeat offenders,
or issues detected very late in the game before release can end up with no
notice.

------
Asdfbla
Seems plausible, though regardless of whether Kaspersky cooperates (maybe
under some gag order) with Russian agencies or not, it seems prudent for any
government in the world to avoid using software that potentially uploads
confidential data to foreign servers. Governments anywhere would probably be
ill-advised to use anti-virus software from countries like the US or Russia,
unless they can be sure that cloud analysis is either disabled or done in
local datacenters.

I guess on the bright side at least the anti-virus market has a variety of
firms based in many different countries, so you can choose your poison based
on how trustworthy you find the respective governments. Doesn't help you when
they themselves get hacked though.

As for the story itself, I kinda dislike the reliance on access journalism and
"unnamed" sources in many of the reports. Yes, there surely are many
legitimate reasons why sources have to remain anonymous, no doubt about that.
But in a case that's so highly political it kinda leaves a bad taste if the
story is so dependent on unnamed government sources.

~~~
trhway
>whether Kaspersky cooperates (maybe under some gag order) with Russian
agencies or not

no offense, it is just very entertaining(and educational) to observe how
people from one culture try to apply their mental frameworks to completely
different mentality. There is no "whether", "or not", "gag order" (in the
sense as if explicit one was necessary) in the Russian reality in the context
of private company cooperating with FSB. Hell, there is no even much of
"cooperating". An FSB guy just says what he wants to get, and he gets it
pronto. And in cases like Kaspersky it is even more straightforward as
Kaspersky and the others there are FSB guys.

I mean it is like a joke among Russians here:

"Did you hear? The NSA thinks about stopping to use Kaspersky on their
computers!"

"Wow! How did they discovered (the ploy)? Was it the parachute?"

(the parachute is a reference to a very well known joke about a USSR spy in
Nazi Germany from very popular TV movie - the spy was so good and invincible
that only the deployed parachute he was dragging behind him in the open
daylight on the streets of Berlin was the only possible clue for the Nazis)

Again, it is different reality. In US law protects from and punishes for
illegal cooperation, whereis in Russia the system protects for cooperation and
punishes for refusal to do so.

~~~
codedokode
> In US law protects from and punishes for illegal cooperation

Then they can insist on _legal_ cooperation. I remember how Pavel Durov
(founder of Telegram) wrote that US secret service agents were stalking him in
US and tried to bribe one of his developers.

------
matt4077
Kasperky's story here seems completely believable. Yet the US government's
warnings also seem reasonable even given just the facts everyone agrees on.

I guess the larger lesson may be how Russia's failure to establish rule of law
makes it impossible to run a business that depends on trust. The US should
take note: if they succeed in breaking Apple et al's attempts to protect their
users, pretty soon the only countries you'll want to buy software from are
Norway and Canada.

~~~
indubitable
It's interesting to analyze your comment for a minute. Consider that PRISM was
revealed in 2013. It is a far reaching surveillance program carried out by the
NSA with the assistance of numerous major tech players, including Apple. [1]
It's unveiling was certainly an embarassment both for the companies involved
as well as the NSA. And here we are in 2017, just 4 years later, with you
stating that users can "trust" companies, including Apple by name, to
implicitly protect their data from government overreach.

Essentially, that the government is publicly running a campaign to openly
access user data does not in any way change the fact that they already have
covert access to that data in private. Why are they doing this? One can only
speculate, but I'd imagine one reason is that unlawfully obtained information
and evidence is not admissible in court leading to all sorts of fun things
like parallel construction. [2]

[1] - [https://www.theguardian.com/world/2013/jun/06/us-tech-
giants...](https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-
data)

[2] -
[https://en.wikipedia.org/wiki/Parallel_construction](https://en.wikipedia.org/wiki/Parallel_construction)

~~~
willstrafach
That does not make much sense. US companies have always needed to hand over
information when presented with a warrant from LE or the FBI, I don't think
that was ever denied by a US company.

In Apple's case, this would be any iCloud data which they can access and is
not encrypted (such as contacts or calendar entries). However, the OP was
referring to something completely different: Government attempts to force
Apple to weaken data-at-rest encryption on everyone's devices.

It is fine if you believe that sealed/secret warrants are problematic, but it
seems strange to equate that with the weakening of security for all.

~~~
indubitable
It seems you're conflating a couple of our surveillance programs. PRISM
operates in coordination and active cooperation with a relatively small number
of US companies, including Apple. There is a rubber stamp warrant, of our
secret court approves over 99%. The type and amount of information accessed
here is extensive and includes encrypted and personal information - as well as
even real time access to user accounts. You can see the NSA slides on PRISM
here: [https://archive.org/details/NSA-PRISM-
Slides](https://archive.org/details/NSA-PRISM-Slides) As an example of this,
the NSA has real-time access to encrypted Skype conversations:
[http://www.spiegel.de/international/germany/inside-the-
nsa-s...](http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-
internet-security-a-1010361.html) The breadth of information being collected
was increasing quite rapidly, and everything I'm basing this this one is from
3-4 years ago.

Another surveillance program, that you seem to be conflating with PRISM, is
MUSCULAR. That program is not as well known as PRISM. And it does what you're
suggesting in directly tapping communication lines grabbing data from
everywhere and archiving everything. Naturally anything that was sent on those
lines unencrypted (or is otherwise able to be exploited) is then openly
available. One significant difference from PRISM is that this is done without
even a rubber stamping of warrants. Your post seemed to be describing the less
'cooperative' capacities of MUSCULAR with the token oversight of PRISM.

The problem that I see here is that most people are incredibly poorly informed
on our surveillance programs, which include extensive domestic surveillance.
And that is a shame, because in order for there to be progressive change
people need to understand the current state of the situation. It's like
discussing a budget when you think you have a billion dollars in the bank, but
in reality you're already in the red - the sense of urgency, which should be
there, has been artificially removed.

------
peterwwillis
Two things this article just ZOOMS over but are critical:

1\. If Israelis were "burrowed deep" in Kaspersky's network, sure, Russian
hackers may have been, too - but so could have anyone else. Also the Israelis
are not exactly fans of the Russians, and are our primary (sole?) Middle East
ally, so there is bias and uncertainty there.

2\. From the article:

 _" The allegations, all attributed to unnamed officials with no supporting
documentation, helped explain why the US Department of Homeland Security in
September took the unprecedented step of directing all US agencies to stop
using Kaspersky products and services"_

So we're not even mentioning how _in May_ the Senate was already taking
Kaspersky to task, and there were rumors of them getting the boot even in
2016? The allegations don't explain shit, they are just another facet of a
year long political battle between the American legislative branch and
intelligence services against Kaspersky.

It is plausible that the U.S. government made these files go through Kaspersky
just so they could have leverage over them for a deal they wanted (like spying
on their own country), or that a stupid contractor put them on their laptop
along with Kaspersky AV, and the NSA got caught with it's pants down, they're
using the Israelis to try to cover the embarrassment. This is not out of the
ordinary behavior for an intelligence service.

Look at it this way: flip the roles. Would Russia try a play on their
contracts with a U.S. company to further their goals?

------
forapurpose
The article contains a useful recap of the evidence so far regarding this
particular Kapersky issue, but the news is Kerpersky's denial. I don't take
the latter to mean too much either way; when you get into the world of
intelligence, plausible denials are the norm, and corporations practice it
pretty commonly too.

Of course the U.S. government had to remove Kapersky from its computers.
Russian intelligence has been very aggressive; the U.S. can't assume they'd
pass on the opportunity to utilize an opportunity this good: Antivirus is
widespread and highly invasive - a confidentiality (and even integrity)
violation utility, with access to all data and code on the system, that the
user helpfully installs for you, and it comes with built-in remote updates and
communication that the user fully approves of.

~~~
JohnStrange
What I find hilarious about this whole story is that the US government allowed
highly intrusive software from a non-allied country on government machines in
the first place. It seems fairly reasonable to restrict software on machines
that potentially hold confidential information (incl. e.g. patient data,
payrolls) to software that is produced in the same country or by companies of
close allies, or at least by companies who agree to some auditing.

Yet allowing anything seems fairly common practice, even more so outside the
US. I wonder how many government employees of countries other than the US have
Gmail accounts and put all their documents on Google docs, etc. Not to mention
online backups which tend to be more expensive for servers located outside the
US...

~~~
grandalf
> the US government allowed highly intrusive software from a non-allied
> country on government machines in the first place.

This is the key point. Also, the US Government was recently found to have fake
Kaspersky SSL certs.

~~~
willstrafach
> Also, the US Government was recently found to have fake Kaspersky SSL certs.

This is not true. An old commit for a leaked implant included example client
certificates, which were invalid and self-signed, used to disguise C2
communications as anti-virus updates to avoid scrutiny. Part of the system
involved copying fields from valid certificates into self-signed (invalid
ones) so the traffic would not look suspicious.

If they actually had fake/spoofed SSL certificates valid for Kaspersky’s
domain, that would be entirely different.

~~~
jlgaddis
> _"... example client certificates, which were invalid and self-signed ..."_

That sounds "fake" to me.

------
lawnchair_larry
Original source article: [https://securelist.com/investigation-report-for-the-
septembe...](https://securelist.com/investigation-report-for-the-
september-2014-equation-malware-detection-incident-in-the-us/83210/)

------
walshemj
Ok so you out and out admit an offence under the espionage act - you've just
fucked every employee out side of Russia over.

Receiving the goods in this case is just as much an ofence as stealing.

~~~
willstrafach
Can you explain this any further?

I am also inclined to believe Kaspersky is in the wrong here, especially given
the publicizing of personal data from a customer's computer for PR purposes,
but I am having trouble understanding how the Espionage Act applies?

~~~
walshemj
"As it is currently written, the Espionage Act of 1917 makes it a crime to
hurt the United States or benefit a foreign country by collecting or
communicating information that would harm the national defense. It is also a
crime to enter an installation or obtain a document connected to the national
defense in order to hurt the United States or benefit a foreign country.
Knowingly receiving classified information that has been obtained illegally,
as well as passing it on, also runs afoul of the Espionage Act."

[https://www.rcfp.org/browse-media-law-resources/news-
media-l...](https://www.rcfp.org/browse-media-law-resources/news-media-
law/wikileaks-and-espionage-act-1917)

~~~
Anderkent
How is accidentally downloading a document and then deleting it immediately
'knowingly receiving classified information'?

~~~
walshemj
they received it doesn't mater what you did after that an did take "deleted"
with a pinch of salt

~~~
Anderkent
' _knowingly_ receiving' means you know what you're receiving before you look
at it.

------
jradd
As far as I can tell, the only reason US gov banned kaspersky because of some
emails and work performed for the FSB led by Igor Chekunov, Kaspersky Lab’s
chief legal officer and a former member of the KGB.

Is there any good reason for us gov to mistrust this company or will they need
to leak secrets to us before that will happen?

