An NSA spook was working on his home laptop and playing around with some special NSA malware.
Kaspersky AV detected it - AS IT SHOULD - based on heuristic or behavior-based technology that just about every modern AV has.
The data was sent back to Kaspersky servers. This is also how everyone else does it, because this is how A/V companies create signatures that are pushed out to all other people who use Kaspersky so they can be protected against malware that could quickly go viral.
Israelis were poking around KAV servers and found the malware, and told the US Gov.
Those are the facts, right? Everything else is speculation, no? Did I miss something that proves the thesis of the story and the government accusations?
> Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.
> Wednesday's report, citing unnamed current and former US officials, said the help came in the form of modifications made to the Kaspersky antivirus software that's used by more than 400 million people around the world. Normally, the programs scan computer files for malware. "But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as 'top secret,' which may be written on classified government documents, as well as the classified code names of US government programs, these people said."
It's speculative in the sense that we weren't there, but the information comes from the same source as all of those facts.
It refers to a "person familiar with the case" when they explain how an NSA guy exposed his malware to Kaspersky.
It refers to different sources which discuss how any malware might have made its way from Kaspersky to the NSA -- unnamed "information security analysts" (they think the KGB hacked Kaspersky), "other experts" (they say the Russian's version of PRISM picked it up) and Steven Hall, a former spook with no disclosed ties to the case (he says Kaspersky is "likely to be beholden to the Kremlin").
To get things done you can not do at the office or you just lack the office time to get it done.
There was a person on the docker team, who had dockerized every other applications like chrome, firefox, ALSA sound server, and more. But even she found it hard to sandbox everything.
I'm using docker as a leading sandboxing tech. Do you mean something else when you mean sandbox?
I somehow missed to see that anybody but you claims that, so please give some link. I also, like the parent poster, only read that the antvirus program, as it should, collected the virus to the company servers.
>The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.
No mention of FSB in that article.
"Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s PC, hackers working for Russia homed in on the machine and obtained a large amount of information, said the people familiar with the matter."
But that sounds very implausible, which entry would "the hackers" use? Note that nobody claims that Kaspersky did that "obtaining" that way (by hacking). But it appears to me that Kaspersky software simply first detected suspicious files and then also send them to the servers, which is what the software of most antivirus vendors does. And then the "hackers" story was invented to make it more dramatic. That better fits with the story of the NSA trojan files found on Kaspersky servers by the Israeli, as they hacked Kaspersky.
I always setup my AV software to ask me before it does any thing whatsoever. I don't trust most software, I'm not about to start trusting my AV not to randomly send proprietary software over to their homebase.
You can go as far as finding the amount of data software is sending over the wire through the Task Manager -> Performance -> Resource Monitor. And to say an AntiVirus can hide this would mean it shouldn't be trusted whatsoever if it behaves like malware. The type of reputation any sane A/V company does not want to fall under.
I think Microsoft for their threat detection software does the same.
So I guess all the antivirus companies from time to time have such "lucky finds" like these that were obviously automatically collected by Kaspersky. Even the "secret" viruses will eventually be detected in the broader areas from time to time.
For anyone who's been at all aware of its history, it is clear that Kaspersky is at the very least actively collaborating with the Russian government, most likely doing its bidding, and possibly can be described as a cyber-security arm of Russian security forces.
I'm honestly surprised their products aren't already banned across all US government agencies.
According to that Wikipedia page, The Equation Group refers to "a collection of tools used for hacking". Targeting hacking tools seems to me exactly what a security software company should be doing.
>Such an "innocent" company would have no reason to get involved in cyberwarfare between state-actors, while Kaspersky is heavily involved in such activities and pouring considerable resources into them.
Even if we assume these tools can only target governments and not businesses or individuals, perhaps Kaspersky wishes to obtain contracts with the governments targeted. I don't see how this is particularly sinister or illegitimate.
> This is especially damning since they are clearly targeting state-actors that are antagonistic to Russian interest, such as the US (Equation Group) and its allies (Israel)
Your Wikipedia link states: "The Shadow Brokers announced that it had stolen malware code from the Equation Group [...] Exploits against Cisco Adaptive Security Appliances and Fortinet's firewalls were featured in some malware samples released by The Shadow Brokers [...] Juniper also confirmed that its NetScreen firewalls were affected. The EternalBlue exploit was used to conduct the damaging worldwide WannaCry ransomware attack."
Three American companies and vast numbers of individual users and civil government institutions around the world (including the UK Health Service). Are they all Russian interests?
Are we reading the same Wikipedia page? Here's what mine says:
> The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced ... we have seen", operating alongside but always from a position of superiority with the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.
Kaspersky is preoccupied with this group, that by their own description, targets state actors that are hostile to the US. They've obsessively documented 500 of their alleged attacks worldwide, which would be negligible blip on the radar for any normal, purely commercial cyber-security company.
Doesn't it strike you as odd?
> Even if we assume these tools can only target governments and not businesses or individuals, perhaps Kaspersky wishes to obtain contracts with the governments targeted.
I'm going to take a wild guess that none of the targets of the Equation Group like Afghanistan or Syria will trust Kaspersky enough to hire them for a sensitive project. These countries are very busy with ground wars and have no attention or money to spend on cyber security.
The only government that may and probably does employ Kaspersky is the Russian one. Which of itself hints at heavy collusion between these two.
You keep saying this, and it is completely wrong which detracts from your point (which is right!).
All commercial cyber-security companies collect and report on hacking groups.
Here's the Mandiant/FireEye report on APT-1: https://www.fireeye.com/content/dam/fireeye-www/services/pdf... and here is the APT_28 one: https://www2.fireeye.com/apt28.html
Here's the report by a group of companies on the Chinese Axiom group: http://www.novetta.com/wp-content/uploads/2014/11/Executive_...
And finally, here's the FireEye one I linked to previously talking about the Equation Group: https://www.fireeye.com/content/dam/fireeye-www/company/even...
The only government that may and probably does employ Kaspersky is the Russian one.
That's not true either as a quick Google shows, eg: https://www.crn.com.au/news/kaspersky-to-protect-prime-minis...
No, not in the slightest. Of course a security company tracks security threats, especially when those security threats utilize multiple zero day vulnerabilities that could end up in the wild after they are finished with them. Use your head, man. I get it, "better dead than Red" and all, but let's not lose our shit purely because of the speculation of an "anonymous source close to the case."
I've always found it suspicious that Russia and China created their own social networks, email providers, and search engines. Almost like they know the power of a capable search engine or social network for intelligence gathering purposes.
Google and US anti-virus companies must work closely with the NSA too.
> Kuok repeatedly expressed fears that he might be dealing with an NSA, CIA or FBI agent, but continued to negotiate with the undercover officer, even cautioning him to avoid referencing the items by model number in e-mail, because "your country has this system to analyze" e-mail for keywords.
Also after the "theft" and premature release of Stuxnet by Israel, I wonder how strong the collaboration between the US and Israel is.
> A 43-year-old former Akamai employee has pleaded guilty to espionage charges after offering to hand over confidential information about the Web acceleration company to an agent posing as an Israeli consular official in Boston.
> Facebook, for example, previously announced its DeepFace facial recognition system is capable of determining with 97 percent accuracy whether two images are of the same person. The company, which itself is accustomed to criticism that it views users as guinea pigs, is able is make such accurate identifications because of the network of images from which it draws, something that could take police agencies a decade or more to build up.
Snowden worked for Dell as a cover for his intelligence work. Russia told their military to move off Linkedin the moment it got acquired by Microsoft. Do Dell and Microsoft work closely with the DoD and should this concern non-US citizens that rely on their software and hardware?
Doubtful. Keep in mind that in Russia / China the state has a lot more leverage against commercial companies. It's very easy for the state to effectively shut any non-complying company, not to mention far worse (Russia and China have thrown businessowners into jail for no reason before).
> Almost like they know the power of a capable search engine or social network for intelligence gathering purposes.
Absolutely, the typical pattern is that some dominant foreign provider refuses to comply with say, Chinese Firewall rules, so the Chinese block it and instate a friendly domestic provider instead.
That is pretty disingenuous. Noncompliance with an NSL is a quick route to contempt charges. On top of that, the gag order prevents you from explaining your position to shareholders or customers.
This coercion makes it much more straightforward for most businesses to simply comply with US demands, unless you voluntarily shutter your company, e.g. Lavabit.
After a court issues an order, contempt of court is a possibility. Just clarifying that the route to contempt is not quick. It’s also largely untested. Writing an NSL is two pages in a Microsoft Word template, while arguing a federal case to get your way is a much bigger prospect; if the investigation is small enough, or they’re not totally legal in how they got intelligence, etc., etc., they might not wish to argue and calling the bluff might be smart.
The gagging facility of NSLs actually has a non-coercive purpose: as designed, an NSL basically invites an unknown third party into a sensitive intelligence or counterintelligence operation. Tipping off the target or anyone else could lead to a collapse of the investigation, burning other sources that were used before you got your NSL, diplomatic repercussions, and so on. That’s the thinking that went into it, and it’s actually understandable. Two problems are that (a) the gag is indefinite, with no circling back once the operation concludes and (b) NSL is horrifically abused for stuff it shouldn’t be, since FBI realized the gagging lets them mostly get away with it.
Source: Have held more than one and read the citations.
Seems like the Europeans are the only ones stupid enough not to.
Europe has been destroyed in WWII only to be liberated by the USA and the USSR (China is also among the winners). The USSR collapsed and withdrew from Eastern Europe, on condition that it remains a buffer zone (think about Ukraine in this context).
The EU is therefore essentially a peace project, subject to the peace treaties ending WWII (this hasn't happened in N. Korea, think about it in this context).
Those treaties are still in force today, including the stationing of liberating forces. This pretty much sets the boundaries, including the defense (read supervision) of strategic resources, such as gas pipelines, energy grids, and yes, communication lines and information technology. Obviously, these restrictions hardly reflect current German economic strength (just like after WWI), which inevitably leads to tensions (‘The Germans Are Bad, Very Bad’, as the POTUS puts it).
Once Facebook arrived with localised versions on the European market it destroyed all of the clones. Talk about network effects.
Or perhaps you meant mobile operating systems, in which case I would note that the most promising and well-known mobile OS after Android, iOS, and Windows phone (all American) is SailfishOS, which is... Finnish.
So the US is definitely on top, what with all the software tech giants being based there, but Europe seems pretty relevant.
Also FOSS software can't solely be attributed to the one guy who started it. I would say the Linux Kernel is global and it took a lot from Unix.
The US and the UK are Indefinite Optimists while many in US tech are Definite Optimists (such as Elon Musk.)
Cultural attitudes about the future of our world has a huge influence on the type and velocity of innovation.
Those are generalizations, but just compare investment philosophies of various countries. EU: with a few exceptions that prove the rule, very conservative, less likely to back 100x technology innovations, more likely to back 2x innovations that have low risk and low reward (but enough reward to make a return.)
Russia and China: more likely to invest in keep-up technology (me-too stuff) that promotes domestic stability — much more defensive investing to promote Juche ideas. North Korean “tech” is the extreme example.
US: willing to bet huge on low percentage, future changing tech (speaking of the Valley specifically,) while much of the rest of the US tends to be closer to the EU in terms of risk tolerance, with notable exceptions.
You won’t have an EU investor funding self-driving cars generally and you won’t have a Valley investor funding incremental 2x tech (generally.)
All countries have visionaries and innovators, but due to who controls the finances (and tax policy,) most of those future Elon Musk types are shot down before they even get off the runway.
Exceptions abound of course, but that’s my general take.
Being local ones, they didn't have the same network effects like the US ones. Some of them still live, though.
Is the Pope catholic?
Yandex search predates Google.
Not to mention that the quality of it's search in Russian had been much better than Google's until at least 2010, as a Russian when I needed to search for something in Russian I didn't bother with Google because their search results were visibly much worse.
However, that's a very old story, I doubt that there is much of a connection now.
We do know for a fact that US General James Cartwright pleaded guilty to leaking Stuxnet. And then got pardoned by Obama.
Now, whether or not he was guilty of more than that, I don't think we know, but that's often the nature of plea deals.
While your basic point might be correct, this part is absolutely false. All major security groups actively research all APT groups, no matter where they are from.
For example, here's a 2015 report from (US Company) FireEye. Page 11 talks about the Equation Group (as well as the UK-based Regin group).
It is worth acknowledging that Kaspersky was the first company to identify and name the Equation Group. However, this is likely to be because of the geographical overlap of activities: Kaspersky provides defensive support in Russia and the Middle East where the Equation Group is most active.
This is exactly the same as how Mandiant/Fireeye identified ATP-1 and Cozy Bear/Fancy Bear: they get called in to investigate breaches in the US where those state-supported groups are most active.
I would like to see some actual evidence of this, instead of just allegations.
An ordinary anti-virus company would never get involved in state-vs-state cyber warfare, let alone pour tons of money into researching it. How does that support their business model?
Do you think it's normal for a commercial company to spend so much time, money, and effort researching areas that have nothing to do with their core business, and will likely get them in trouble with their customers and antagonistic governments?
It seems like American companies tend to find Russian state-sponsored malware and Russian ones keep finding US/US allies-sponsored malware.
“There’s a Balkanization of cyberspace that’s occurring, and companies need to choose which side they’re on,” said Dmitri Alperovich, co-founder of U.S. security firm CrowdStrike.
Sounds to me like they've "chosen a side", like you're implying Kaspersky has.
Having a lot of experience in this space, no loyalties to Russia, and all loyalties to the US, if anywhere, I strongly disagree that there has ever been any meaningful current or historical link between Kaspersky and the Russian government.
Posts like this do not seem to be informed by actual industry experience and those speculations are not even agreeable to those who are suspicious of Kaspersky. You're sharing a lot of FUD.
For most private citizens that aren't of particular interest to the Russian government (e.g. aren't politicians, activists, dissidents), Kaspersky seems like an excellent choice.
Every AV product will be defeated by a targeted attack anyway.
Kaspersky, Snowden, Positive Technologies(which are also russian) are doing great service to community. Cyber weapon is still weapon and people should know about it.
So, fellow Europeans, what now? Avast? Any other options?
EDIT: Ok so I found a pretty useful Wiki list with European made AV products. I haven't used them so I can't judge to their effectiveness, especially the enterprise versions. But here are some alternatives to US / RU anti virus suites.
Czech Republic: AVAST, AVG, TrustPort
Germany: Avira, G-Data
Iceland: FRISK (F-PROT)
Spain: PANDA security
Only a handful survived my tests, and now I see them all listed here as European AV vendors. Interesting.
Symantec, by the way, was by far the worst. It got to the point where I would immediately uninstall their products on sight. My favorite was when one of their automatic updates started causing boot failures. That sure kept me busy!
This kind of Biological neural network isn't always the fastest approach but you can be sure it isn't forwarding all your traffic to the government.
To call that paranoia isn't naivity anymore, it's foolhardiness.
FRISK was bought by Israeli company Commtouch several years ago. They wound down operations in Iceland to the point that I doubt any real technical work goes on there.
Get Windows Ten should have been an eye opener for everyone, vetting updates isn't anywhere close to good enough, if Microsoft is compelled to do so they can run whatever they want on your computer.
Also as of late it seems like macOS has been nothing but security incident after security incident like the recent bug where encrypted disks had a password hint of the decryption password or when somebody found out that the system preferences app was basically using an undocumented API that had no authorization at all and gave root access. Or that keychain vulnerability that gave complete access to the entire keychain to anything running in a web browser!
I think an APT would have a field day if their targets started using macOS.
Patrick Wardle has reversed the C2 com protocol and found it had "advanced" capabilities (remote exec, key and mouse sniffing, screenshot, etc.). The malware was found on several thousands Macs too (mostly in the US).
>“Some people had to send faxes. They were dragging old printers out of storage to cut checks,” she said. “It was crazy.” ... "People using Macs were fine,” she said. She said most work is done on iPads and iPhones.
Perfect is the enemy of good and all that.
Yes but my point is that this is completely irrelevant to an APT. When an attacker moves from opportunistic to targeted having an OS with a lower adoption rate isn't going to matter. They aren't going after the most amount of victims possible, they're going after you specifically.
Plus if you assemble the RAM and processor by yourself, you never know how much viruses are there in our bootloader!
And then Israel hacked Kaspersky 'cause that's what they do or something, found the NSA development malware, and was like "Hey NSA, you should figure out how this got here"?
This seems like a very different story from any of the Kaspersky stuff I've been hearing. I'm sort of surprised Kaspersky had servers vulnerable to Israel, but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines. I merely work in algorithmic trading, and everyone in the industry is paranoid about code leaving the building (at least one employer I know of straight-up doesn't have a VPN at all, from what I've heard). How is the NSA not as paranoid here?
If the news story is to be believed, Kaspersky was scanning for classified data using US intelligence codewords as a selector.
>I'm sort of surprised Kaspersky had servers vulnerable to Israel
I'm not, everyone's servers are vulnerable. Intelligence agencies can buy exploits. If they want in, they get in.
>but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines.
I don't believe it is allowed. That said controlling access to data is hard, lots of people probably do work at home with classified stuff when they are told they shouldn't.
Assuming you mean the linked article, it doesn’t say that. It says that Kaspersky uses “silent signatures”, which are supposed to be indicators of malware, but could hypothetically be adapted to search for classified data instead. But it doesn’t allege Kaspersky was actually doing that.
(edit2: But the NYT report  does seem to allege that! This reporting is such a mess…)
Apparently, silent signatures are a technique to test new signatures where instead of blocking files with the signature, the AV reports the finding back to a server, allowing the vendor to identify false positives before fully deploying the signature. The question is what exactly Kaspersky is/was reporting to their server. I googled ‘silent signature’ and found a patent , issued to Kaspersky, which describes sending only hashes of the executable with the signature. But this article seems to suggest that they were sending the executable in full - at least if the leak of NSA tools occurred via that mechanism. (The article doesn’t say it did, but it sounds like a plausible route for a customer’s executable to find its way to Kaspersky’s network.) If this is the case, it sounds extremely troubling from a privacy perspective even without any intelligence services getting involved.
edit: Actually, I think the body of the patent does disclose sending the whole file to a server, which isn’t mentioned in the summary. The text is a little vague, though.
> If no threat is detected in step 720, statistics regarding the executable file and the frequency of launches of the executable file are collected in step 740. Then, in step 750, the file is downloaded and sent for a further analysis in step 760. After the analysis, either a white list or black list can be updated with a signature of this executable file.
It doesn't necessarily need to be an executable.
Imagine this filter:
- File type: .docx
- Silent Signature: "TOP SECRET//COMINT//NOFORN"
That means all word documents with:
- the "top secret" classification
- in the "Special Intelligence(ComInt)" area
- marked as "No Foreign Nationals"
will automatically be sent back to servers for review.
Again, in my industry I'm not allowed to take code home with me; I have to remote into work and edit it on my work desktop. And the worst-case scenario of code leaking is basically that a competitor makes money that we would otherwise have made. Can't people who literally have (in their belief, at least) the fate of the free world in their hands be at least this careful?
It's from the original NY Times article, which is linked to from the WP article.
All line numbers are module zero for ten? Is the code written in BASIC with the anticipation of line additions? I miss my C64!
Reason 4512F : Hamas leader uses Kasperky
and so on and on. AVs are in tens of millions of computers and have "license" to go looking for files, to take files out of the computer (talk back to the server) and firewalls let them through because you installed it. What more can you want?
I mean, this is exactly how you tell if your data has been breached or your source code leaked -- you put fake but unique records in your database then watch the dark webs for folks selling dumps containing those values; and plausible but bogus code containing unique constants then check competitors' binaries against those values.
Given that they haven't been charged, it's pretty likely there's more to this story.
It wasn't actually their home computer, but it was a non-classified system where code was being move for non-attributable active deployment.
The code was developed or acquired in a non-classified space first.
There are probably more possibilities too. There's some good speculation here: https://www.emptywheel.net/2017/10/06/the-conflicting-homewo...
Probably their best employee, his mom died...it was a mistake, a bad one but a mistake. Prosecutorial discretion.
I've been in SCIFs. It would take a lot of effort to make a mistake like that.
And yes, this is the gist of what's behind all the Kaspersky hysteria. The NSA trying to obscure another extremely embarrassing leak.
Every AV software uploads new detections for analysis. It just so happened that this fool used Kaspersky. It's abundantly clear that behind all the make believe is a mostly incompetent agency that can't keep it's secrets any better than Equifax.
That said, it's still extremely embarrassing. Why is someone from TAO taking this kind of work home?
It's right there in the article:
The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.
This is the NYT writing a government press release into a bad thriller guided not by independently verified facts (how could you) but sheer ideology to fill in the gaps.
That happened _after_ Kaspersky identified the "NSA codename programs" as malware. That is exactly what an anti-malware application should do: look for instances of known malware.
An assumption nobody who knows anything about history will make.
Security services are completely unreliable and release these things for their own benefit. The question with this is why are the Israelis pushing this now?
The NYT has a poor record on this stuff as does pretty much everyone.
I've seen what now looks like state sponsored bullshit blogs posing as tin foil hatters being posted to HN saying Kaspersky is part of the Russian intelligence apparatus, and that's why the US government pressured stores to remove Kaspersky AV from store shelves, etc etc etc.
Most likely, they did their job, and they did it correctly. The NSA can't really defeat competent AV researchers who aren't even looking at the NSA in the first place.
“That’s the crux of the matter,” said one industry official who received the briefing. “Whether Kaspersky is working directly for the Russian government or not doesn’t matter; their Internet service providers are subject to monitoring. So virtually anything shared with Kaspersky could become the property of the Russian government.”
Late last month, the National Intelligence Council completed a classified report that it shared with NATO allies concluding that the FSB had “probable access” to Kaspersky customer databases and source code. That access, it concluded, could help enable cyberattacks against U.S. government, commercial and industrial control networks.
I'm not saying Kaspersky is a part of the Russian intelligence apparatus, but I wouldn't trust them to report on Fancy Bear campaigns, nor would I trust their AV software if I were a particularly juicy target.
This is straight up not true.
He studied at an institute that was administered by the KGB.
> The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
To be fair, that is kind of their job. I don't suppose their precept says that they should be paranoid and believing in conspiracy theories - in those exact words. But, that seems to be how it is manifest.
Secret FISA courts rule away all of your basic privacy rights? Fear not. Russia is the enemy.
Secret warrants by a secret court is also the enemy.
One is just more important and dangerous than the other (look out of the window).
Perfect example of whataboutism BTW.
Not if you're not American. The American government has shown it doesn't care at all or stop at anything to promote its self interest through American made software outside the US.
Somebody is going to be on top.
Would you rather have US, Russia or China be the superpower?
In what sense?
It's a de facto totalitarian dictatorship. Its proliferation harms human rights, poses real danger to Ukraine, claims lives. ( https://en.wikipedia.org/wiki/Casualties_of_the_Ukrainian_cr... , corruption also claims lives https://www.youtube.com/watch?v=3eO8ZHfV4fk )
Do you refer to military intervention in Iraq, Afghanistan, Yemen, Syria, ...?
Do you dispute that these countries/areas are/were different from Ukraine?
One fact you can't argue with is Russian government is telling their people US is the enemy.
Follow @JuliaDavisNews . She posts gists of Russian state-controlled TV.
If it's not US, it's EU/NATO/gays/"democracy" (I'm not kidding you about democracy)
At this point should you just fire everybody in the NSA and start again? If not, why not? I'm struggling to see genuine competence in improving the security of Americans amongst the constitutional attacks on the citizenry, attacks which most definitely have the opposite effect.
One could argue that e.g. German spy tools copy the American style so that those decompiling it will think it is American. I argue that is a lot harder that it sounds. Code style is much deeper than whether or not to use braces around lone if clauses. The whole way of thinking, layout of data structures, use of getters/setters or properties, breakdown of what goes where and into which classes, breakup of large methods, etc etc etc. These signatures and many more give one a feel for the software's origin. Not proof, but a very solid foundation for suspicion.
I suspect that coding style guides are detectable in compiled output too.
As an aside, a bit that caught my eye here:
> This material is based on work supported by the ARO (U.S. Army Research Office) Grant W911NF-14-1- 0444, the DFG (German Research Foundation) under the project DEVIL (RI 2469/1-1), and AWS in Education Research Grant award.
I strongly doubt that (while I concur that source coding style is often recognizable).
More or less a decompiler (when it works properly) attempts to interpret the machine code and translate it into the source.
In order to do so, it must have some "templates" corresponding to regognizable "patterns" in the code, so the source derived from the decompilation will reflect these templates and not the "original".
So yes it's quite likely that the US et al have shared assets with them.
"There was one victim, however, that didn't fit the profile of other targets. Raiu says this was an international gathering for the 70th anniversary of the liberation of the Auschwitz-Birkenau concentration camps"
"But perhaps the most interesting targets were the venues hosting the P5+1 meetings. P5+1 refers to the five permanent members of the UN Security Council plus Germany, who have been in negotiations with Iran over its nuclear activities."
These stories still are almost certainly revealing just a fraction of the story. All ignore Kaspersky’s reports laying out US and allies’ spying tools (explaining why Israel might hack Kaspersky and share the details, if not the work). And the most logical explanation for the FSB démarche is that Kaspersky — as they said at the time — reported the hack to their relevant law enforcement agency, which is the FSB, who in turn yelled at the CIA.
See also: https://news.ycombinator.com/item?id=15441516
One would hope that we are more careful with removing Kaspersky and his brilliant employees' legitimate professions this time.
(Other than the software made him rich/a minor celebrity.)
I think the gp was referring to what accusations people have made of McAfee since he sold the company.
Showtime aired up a documentary about him. I think "colorful personal life" can only be interpreted as a euphemism since he was accused of murder, rape, running a local armed gang, fleeing the country from the police, etc.
I have no reason to believe Kaspersky will have similar issues as I suspect McAfee was eccentric from the start.
>Involving variously disreputable activities.
I’m not American so not that clued up on the specifics.
IMO, I think the reason it wasn't defined is because the meaning is obvious, there's two ways to be a citizen, - by birth ("natural") or by naturalization.
Tons of discussion on the topic here:
As mentioned above, Ted Cruz was a serious contender for POTUS yet was born in Canada as well as George Romney, who was born in Mexico. Those two about as close as we got to "settling" the issue.
John McCain was born in the Panama Canal Zone which, at the time, was an unincorporated territory of the United States. Does that "count" as being "the United States" if you're going to interpret "natural born citizen" that way? People may disagree. They also may disagree if military bases "count" the same way as the Panama Canal Zone. https://en.wikipedia.org/wiki/Panama_Canal_Zone#Citizenship
US Senate passed a non-binding resolution that McCain was a "natural born Citizen" of the United States.
There have been several Presidents who have one non-citizen parent, the most recent being Barrack Obama.
Antivirus/antimalware is incredibly important, but it should generally be silent and protect a system.
I mean what could happen from here. Even if NSA get evidence that their networks were hacked without doubt, which is a hard thing in itself as there are thousands of vectors and even harder is to say that it had been directly done or funded by Kaspersky, they are likely not going to expose themselves in court. Israel has even bigger reason, considering Kaspersky has at least some relation to Russia.
Also, there is evidence that NSA attacked Kaspersky first, which gives them a very good reason to carry out a counter attack to secure themselves.
Now that is an excellent question. Why didn't the Obama administration do more to protect U.S. government computer systems from this threat?
Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.
As reported, this isn't incidental collection.
Every antivirus program aggressively scans for malicious programs and sends them back to the security firm for inspection and creation of fingerprints. If the collection wasn't incidental, what mechanism could the FSB exploit to non-naively identify tools that it didn't already have, and flag them for retrieval?
>If the collection wasn't incidental, what mechanism could the FSB exploit to non-naively identify tools that it didn't already have, and flag them for retrieval?
Emphasis on "non-naively." Antivirus seems like a highly ineffective tool for espionage of the sort being claimed in the article. You either have to blindly fish for something or already have a fingerprint of what you're looking for.
Saying that they "obviously have fingerprints of what they're looking for" is an active attempt to make the events fit a narrative.
Scans are executed client side using client side heuristics. And so what is or is not sent back would be contained within the client. It could be trivially verified that the source code they proffered compiles to the product at the time. And so it would also contain clear evidence whether or not the company's product was collecting and reporting data on software/documents/etc outside the nominal domain of its purpose.
The US already has Kaspersky's source.
But of course if I were installing an AV product I wouldn't like it to send my files anywhere.
Since the cover-up among relevant folks failed, and since Russia is slowly elevated to "not really friendly" status again by the US gov't, there's a great opportunity by the US deep state to send a big f*ck you to Kaspersky for their impertinence of doing their job.
That is not true at all. The software was run on an employee’s home computer, who had illegally brought classified content home.
They are a trusted ally of the USA and an observer in the Five Eyes alliance.
Imagine any major Chinese IT company pushing back against government requests like Dreamhost did. Even the biggest ones can't/won't. It helps that the government is a huge investor in most of them, of course.
"Chinese IT company rebuffs government demand for user information on its website". This headline does not exist.
"The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries."
1. Is hacking into a foreign AV company by a state an OK thing to do?
2. How do we know the anonymous source is being truthful?
3. If yes to the first two, are we certain that it wasn't exploited but was coerced?
4. If all of these things are true and they were coerced, what is the practical difference for the party being monitored?
In China it is not even theoretically possible because the gov't mandates backdoors and can easily shut down your company if you don't comply. You have way less recourse on rule of law.
Think about the fact that the FBI had to actually get a warrant to even begin talking to Lavabit. They had to actually go through bureaucracy. It was not instantly handed over to them on request.
We ban such accounts that do these things, so would you please read https://news.ycombinator.com/newsguidelines.html and stop?
Domestically perhaps, but not when it comes to international law (eg. sanctioning torture, extrajudicial killings, drone strikes, illegal invasion etc.)
One of these is a thing with courts, enforcement mechanisms, et cetera. The other is really only relevant for preventing war between global powers, i.e. the Security Council.
No we don't. We have a stronger belief in the rule of law, but not an actual practice of rule of law. It's been getting worse and worse over the past two decades and at this point I see little difference between any particular western government and Russia's.
If you haven't noticed it, you've been willfully ignorant.
There is quality research in measuring, quantitatively and qualitatively, the rule of law .
While disagreement abounds around methods and data, it's pretty universally observed that the rule of law in Russia is worse than that in the West.
Lavabit had previously complied with search warrants to obtain data for users suspected of dealing in child pornography. https://www.docketalarm.com/cases/Maryland_District_Court/1-...
When Lavabit delayed implementing the monitoring they had agreed to, losing forever the ability to collect data generated during that time, only then did the government effectively put them out of business.
Maybe Snowden broke laws, but every single person breaks some frivolous laws every year of their life that they can be prosecuted for, see The Intercept source I posted on this.
Also JetBrains is based in Czech Republic not Russia.