Hacker News new | comments | show | ask | jobs | submit login
Israel Hacked Kaspersky, Then Tipped NSA Its Tools Had Been Breached (washingtonpost.com)
537 points by tptacek 38 days ago | hide | past | web | 284 comments | favorite



This is what I read between the lines:

An NSA spook was working on his home laptop and playing around with some special NSA malware.

Kaspersky AV detected it - AS IT SHOULD - based on heuristic or behavior-based technology that just about every modern AV has.

The data was sent back to Kaspersky servers. This is also how everyone else does it, because this is how A/V companies create signatures that are pushed out to all other people who use Kaspersky so they can be protected against malware that could quickly go viral.

Israelis were poking around KAV servers and found the malware, and told the US Gov.

Those are the facts, right? Everything else is speculation, no? Did I miss something that proves the thesis of the story and the government accusations?


According to the NYT article[0]:

> Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

[0] https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-...


More specific detail regarding this was revealed today[0]:

> Wednesday's report, citing unnamed current and former US officials, said the help came in the form of modifications made to the Kaspersky antivirus software that's used by more than 400 million people around the world. Normally, the programs scan computer files for malware. "But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as 'top secret,' which may be written on classified government documents, as well as the classified code names of US government programs, these people said."

[0] https://arstechnica.com/information-technology/2017/10/kaspe...


"Everything else is speculation" ignores the well sourced "speculation" about Kaspersky's next step: letting the FSB know about this contractor so they could target and breach his machine.

It's speculative in the sense that we weren't there, but the information comes from the same source as all of those facts.


There is no single source for the article.

It refers to a "person familiar with the case" when they explain how an NSA guy exposed his malware to Kaspersky.

It refers to different sources which discuss how any malware might have made its way from Kaspersky to the NSA -- unnamed "information security analysts" (they think the KGB hacked Kaspersky), "other experts" (they say the Russian's version of PRISM picked it up) and Steven Hall, a former spook with no disclosed ties to the case (he says Kaspersky is "likely to be beholden to the Kremlin").


It is obvious to me that Kaspersky is beholden to the Kremlin. The founders of Kaspersky are after all Russian.


Why would a hacker not use Mac or Linux for sensitive stuff?


Why would a NSA guy use Russian security software?


Why would an NSA guy put secret government tools on his personal laptop?


Stupid as it may sound, but my experience with many many "why did you take the data there" dramas, the answer is:

To get things done you can not do at the office or you just lack the office time to get it done.


Too restrictive corporate policies?


User error


Why would a NSA guy even run any AV? Isolate and compartmentalize everything based on the task and its dependencies. You should assume everything you run could be bad or that you are already compromised.


He works for the NSA, but he was on his home computer which is unlikely to stay air-gapped unless he's content with making mspaint art and playing skifree :)


Straight up. They spew forth this stupid reasoning so that the general public will become frightened. Most people don't understand what any AV does, or how it operates anyway. For them to understand compartmentalization based on dependencies is way too far out there. The US government might have granted access as well in another effort to spread fear amongst the uneducated American populus.


Is this reasonable to do with number of softwares even average people use?

There was a person on the docker team, who had dockerized every other applications like chrome, firefox, ALSA sound server, and more. But even she found it hard to sandbox everything.

I'm using docker as a leading sandboxing tech. Do you mean something else when you mean sandbox?


I should warn that Docker was never planned as a security tool. If you read the documentation on Linux containers you will see that they are pretty complicated and therefore can have vulnerabilities.


Because he's a RIS mole pretending to be incompetent.


I assume if you voluntarily give Kaspersky root access to your laptop, they don't care whether it's Windows, Mac, or Linux.


Does Karpersky sell that run on Macs or desktop Linux?


According to Google they have both, and based on the descriptions they probably follow the same model as the Windows one. That said, it would be kind of ironic if the original comment actually meant, "Use Mac or Linux for sensitive stuff because there's a good chance Kaspersky doesn't exist (or work very well) on them."


Where did you read "letting the FSB know about this contractor so they could target and breach his machine."

I somehow missed to see that anybody but you claims that, so please give some link. I also, like the parent poster, only read that the antvirus program, as it should, collected the virus to the company servers.


I read that in the WSJ article that first revealed the security breach.

https://www.wsj.com/articles/russian-hackers-stole-nsa-data-...

>The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.


That quote doesn’t say anything at all that indicates Kaspersky “let the FSB know”, as you keep stating.


It is behind a paywall but the quote you give has no sense in the context of the rest of the information I've read. That narration would be different then. Israelis hacked Kaspersky offices, discovered what the antivirus automatically transferred. It is not claimed they discovered anything else there. NSA obviously didn't know what their worker did at home, until Israelis informed them, so how do they know he was targeted afterwards and that Kaspersky was directly involved? Something is still missing.


Here is sans paywall link: https://archive.is/hB3eo

No mention of FSB in that article.


Thanks. There is however:

"Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s PC, hackers working for Russia homed in on the machine and obtained a large amount of information, said the people familiar with the matter."

But that sounds very implausible, which entry would "the hackers" use? Note that nobody claims that Kaspersky did that "obtaining" that way (by hacking). But it appears to me that Kaspersky software simply first detected suspicious files and then also send them to the servers, which is what the software of most antivirus vendors does. And then the "hackers" story was invented to make it more dramatic. That better fits with the story of the NSA trojan files found on Kaspersky servers by the Israeli, as they hacked Kaspersky.


The implications may be that the FSB provided specific signatures for them to look for, they came back when they popped up on a machine located at this contractors house, then further assessments were performed. In context that’s not far fetched at all.


How do you think FSB "came back" to the machine of the NSA malware developer who's in the USA? I think that's exactly what is not plausible. He surely isn't going to open a trojan named isthatyou.jpg.exe in the e-mail sent by them to him. He actually made such stuff (trojans or something) himself as he let Kaspersky's software automatically collect the sample of his "work in progress." Now the unnamed government sources "leak" this as a case of apparent "Russian hackers" whereas the only known hackers in the story are the NSA and the Israel's hackers who hacked the office computers of Kaspersky. Kaspersky's software just did what other antivirus software does too.


I'm not a malware developer but you can tell an AntiVirus not to scan a specific directory so that could of been completely avoided. You can also tell an antivirus what not to send over to the AV developers / company as far as I remember. I stopped using antiviruses years back, but I remember this from when I would download cheating tools I would define a folder for those tools, some of which I had the source code to but they were all flagged as potential malware.

I always setup my AV software to ask me before it does any thing whatsoever. I don't trust most software, I'm not about to start trusting my AV not to randomly send proprietary software over to their homebase.


I'll cut you some slack because you stated you're not a malware developer. But even if you're a normal developer, you should know that telling software to do something does not mean that the software will do that something. When the software in question is subject to being controlled by adversaries, all guarantees go out of the window.


Yeah. I facepalmed at that assumption as well. It's as naive as a parent telling an 18 year old not to have friends over while they go on vacation for 2 weeks and thinking its all good from there.


You're saying nobody would be able to test if, when and what an Antivirus program is sending over the internet? If it all of a sudden is uploading enough data over to some server vs downloading (for updates) it's kind of a tall tale sign that it's phoning home with files. I don't use AV software anymore since I'm mostly on Linux, if I'm on Windows it's dedicated to Windows based programming, all my browsing is isolated usually.

You can go as far as finding the amount of data software is sending over the wire through the Task Manager -> Performance -> Resource Monitor. And to say an AntiVirus can hide this would mean it shouldn't be trusted whatsoever if it behaves like malware. The type of reputation any sane A/V company does not want to fall under.


Wait, does it really send (suspected) malware home, without asking the user?


Yes it's among most antivirus packages advertised features. And example from everyones favorite anti virus vendor https://home.mcafee.com/Secure/CloudAV/HowItWorks.html but they all market a similar feature.


As far as I know most antivirus companies have such defaults which the users can somehow turn off. That means they consider that the user is informed and has agreed by using the product with such a setting unchanged.

I think Microsoft for their threat detection software does the same.

So I guess all the antivirus companies from time to time have such "lucky finds" like these that were obviously automatically collected by Kaspersky. Even the "secret" viruses will eventually be detected in the broader areas from time to time.


Yes. All antiviruses do this. It's one of the major streams of malware samples, and for the company I use to work for -- the most important source -- because those are authenticated as being on real customers machines!


Kaspersky has been known to collaborate with the Russian government and promote Russian interest. They've actively pursued state actors that are hostile to Russian interest, for example The Equation Group (https://en.wikipedia.org/wiki/Equation_Group), which wouldn't be an organic part of the function or activities of a normal civilian cyber-security company. Such an "innocent" company would have no reason to get involved in cyberwarfare between state-actors, while Kaspersky is heavily involved in such activities and pouring considerable resources into them. This is especially damning since they are clearly targeting state-actors that are antagonistic to Russian interest, such as the US (Equation Group) and its allies (Israel), yet are totally silent on pro-Russian activity.

For anyone who's been at all aware of its history, it is clear that Kaspersky is at the very least actively collaborating with the Russian government, most likely doing its bidding, and possibly can be described as a cyber-security arm of Russian security forces.

I'm honestly surprised their products aren't already banned across all US government agencies.


> Kaspersky has [...] actively pursued state actors that are hostile to Russian interest, for example The Equation Group (https://en.wikipedia.org/wiki/Equation_Group), which wouldn't be an organic part of the function or activities of a normal civilian cyber-security company.

According to that Wikipedia page, The Equation Group refers to "a collection of tools used for hacking". Targeting hacking tools seems to me exactly what a security software company should be doing.

>Such an "innocent" company would have no reason to get involved in cyberwarfare between state-actors, while Kaspersky is heavily involved in such activities and pouring considerable resources into them.

Even if we assume these tools can only target governments and not businesses or individuals, perhaps Kaspersky wishes to obtain contracts with the governments targeted. I don't see how this is particularly sinister or illegitimate.

> This is especially damning since they are clearly targeting state-actors that are antagonistic to Russian interest, such as the US (Equation Group) and its allies (Israel)

Your Wikipedia link states: "The Shadow Brokers announced that it had stolen malware code from the Equation Group [...] Exploits against Cisco Adaptive Security Appliances and Fortinet's firewalls were featured in some malware samples released by The Shadow Brokers [...] Juniper also confirmed that its NetScreen firewalls were affected. The EternalBlue exploit was used to conduct the damaging worldwide WannaCry ransomware attack."

Three American companies and vast numbers of individual users and civil government institutions around the world (including the UK Health Service). Are they all Russian interests?


> According to that Wikipedia page, The Equation Group refers to "a collection of tools used for hacking"

Are we reading the same Wikipedia page? Here's what mine says:

> The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced ... we have seen", operating alongside but always from a position of superiority with the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Kaspersky is preoccupied with this group, that by their own description, targets state actors that are hostile to the US. They've obsessively documented 500 of their alleged attacks worldwide, which would be negligible blip on the radar for any normal, purely commercial cyber-security company.

Doesn't it strike you as odd?

> Even if we assume these tools can only target governments and not businesses or individuals, perhaps Kaspersky wishes to obtain contracts with the governments targeted.

I'm going to take a wild guess that none of the targets of the Equation Group like Afghanistan or Syria will trust Kaspersky enough to hire them for a sensitive project. These countries are very busy with ground wars and have no attention or money to spend on cyber security.

The only government that may and probably does employ Kaspersky is the Russian one. Which of itself hints at heavy collusion between these two.


Kaspersky is preoccupied with this group, that by their own description, targets state actors that are hostile to the US. They've obsessively documented 500 of their alleged attacks worldwide, which would be negligible blip on the radar for any normal, purely commercial cyber-security company.

You keep saying this, and it is completely wrong which detracts from your point (which is right!).

All commercial cyber-security companies collect and report on hacking groups.

Here's the Mandiant/FireEye report on APT-1: https://www.fireeye.com/content/dam/fireeye-www/services/pdf... and here is the APT_28 one: https://www2.fireeye.com/apt28.html

Here's the report by a group of companies on the Chinese Axiom group: http://www.novetta.com/wp-content/uploads/2014/11/Executive_...

And finally, here's the FireEye one I linked to previously talking about the Equation Group: https://www.fireeye.com/content/dam/fireeye-www/company/even...

The only government that may and probably does employ Kaspersky is the Russian one.

That's not true either as a quick Google shows, eg: https://www.crn.com.au/news/kaspersky-to-protect-prime-minis...


>Doesn't it strike you as odd?

No, not in the slightest. Of course a security company tracks security threats, especially when those security threats utilize multiple zero day vulnerabilities that could end up in the wild after they are finished with them. Use your head, man. I get it, "better dead than Red" and all, but let's not lose our shit purely because of the speculation of an "anonymous source close to the case."


Way down this thread, so time to ask the question: Do American anti-virus, social media, and search companies do exactly the same, but for the US military?

I've always found it suspicious that Russia and China created their own social networks, email providers, and search engines. Almost like they know the power of a capable search engine or social network for intelligence gathering purposes.

Google and US anti-virus companies must work closely with the NSA too.

> Kuok repeatedly expressed fears that he might be dealing with an NSA, CIA or FBI agent, but continued to negotiate with the undercover officer, even cautioning him to avoid referencing the items by model number in e-mail, because "your country has this system to analyze" e-mail for keywords.

https://www.wired.com/2010/05/kuok

Also after the "theft" and premature release of Stuxnet by Israel, I wonder how strong the collaboration between the US and Israel is.

> A 43-year-old former Akamai employee has pleaded guilty to espionage charges after offering to hand over confidential information about the Web acceleration company to an agent posing as an Israeli consular official in Boston.

https://www.pcworld.com/article/239187/akamai_employee_tried...

> Facebook, for example, previously announced its DeepFace facial recognition system is capable of determining with 97 percent accuracy whether two images are of the same person. The company, which itself is accustomed to criticism that it views users as guinea pigs, is able is make such accurate identifications because of the network of images from which it draws, something that could take police agencies a decade or more to build up.

Snowden worked for Dell as a cover for his intelligence work. Russia told their military to move off Linkedin the moment it got acquired by Microsoft. Do Dell and Microsoft work closely with the DoD and should this concern non-US citizens that rely on their software and hardware?

https://techcrunch.com/2016/08/15/mapping-israels-marketing-...


> Do American anti-virus, social media, and search companies do exactly the same, but for the US military?

Doubtful. Keep in mind that in Russia / China the state has a lot more leverage against commercial companies. It's very easy for the state to effectively shut any non-complying company, not to mention far worse (Russia and China have thrown businessowners into jail for no reason before).

> Almost like they know the power of a capable search engine or social network for intelligence gathering purposes.

Absolutely, the typical pattern is that some dominant foreign provider refuses to comply with say, Chinese Firewall rules, so the Chinese block it and instate a friendly domestic provider instead.


> Doubtful. Keep in mind that in Russia / China the state has a lot more leverage against commercial companies. It's very easy for the state to effectively shut any non-complying company, not to mention far worse (Russia and China have thrown businessowners into jail for no reason before).

That is pretty disingenuous. Noncompliance with an NSL is a quick route to contempt charges. On top of that, the gag order prevents you from explaining your position to shareholders or customers.

This coercion makes it much more straightforward for most businesses to simply comply with US demands, unless you voluntarily shutter your company, e.g. Lavabit.


NSL is a statutory authority document issued directly by the executive without judicial involvement. It is not a legal proceeding nor a warrant, nor is it even on court letterhead. There are no statutory penalties for noncompliance set out in the law defining NSLs, but it has provisions to request a court order to enforce if the recipient does not comply. That requires filing a federal case, bringing the intelligence operation to the attention of the judiciary, and probable argument with an opportunity for the target to argue. This is where you hear about folks like EFF defending an NSL, since replying to an NSL usually does nothing.

After a court issues an order, contempt of court is a possibility. Just clarifying that the route to contempt is not quick. It’s also largely untested. Writing an NSL is two pages in a Microsoft Word template, while arguing a federal case to get your way is a much bigger prospect; if the investigation is small enough, or they’re not totally legal in how they got intelligence, etc., etc., they might not wish to argue and calling the bluff might be smart.

The gagging facility of NSLs actually has a non-coercive purpose: as designed, an NSL basically invites an unknown third party into a sensitive intelligence or counterintelligence operation. Tipping off the target or anyone else could lead to a collapse of the investigation, burning other sources that were used before you got your NSL, diplomatic repercussions, and so on. That’s the thinking that went into it, and it’s actually understandable. Two problems are that (a) the gag is indefinite, with no circling back once the operation concludes and (b) NSL is horrifically abused for stuff it shouldn’t be, since FBI realized the gagging lets them mostly get away with it.

Source: Have held more than one and read the citations.


>It's very easy for the state to effectively shut any non-complying company

https://en.wikipedia.org/wiki/Lavabit


'I've always found it suspicious that Russia and China created their own social networks, email providers, and search engines. Almost like they know the power of a capable search engine or social network for intelligence gathering purposes.'

Seems like the Europeans are the only ones stupid enough not to.


It isn't stupidity.

Europe has been destroyed in WWII only to be liberated by the USA and the USSR (China is also among the winners). The USSR collapsed and withdrew from Eastern Europe, on condition that it remains a buffer zone (think about Ukraine in this context).

The EU is therefore essentially a peace project, subject to the peace treaties ending WWII (this hasn't happened in N. Korea, think about it in this context).

Those treaties are still in force today, including the stationing of liberating forces. This pretty much sets the boundaries, including the defense (read supervision) of strategic resources, such as gas pipelines, energy grids, and yes, communication lines and information technology. Obviously, these restrictions hardly reflect current German economic strength (just like after WWI), which inevitably leads to tensions (‘The Germans Are Bad, Very Bad’, as the POTUS puts it).


Europeans had a few. There was StudiVZ in Germany and tuenti in Spain.

Once Facebook arrived with localised versions on the European market it destroyed all of the clones. Talk about network effects.


But search engines and email services? Operating systems? Europe is really not on top of this game.


Operating systems seems like a weird one to throw in there. For a start I'm pretty sure some Finnish guy wrote and maintains one of the better-known operating system kernels, which happens to be used in certain popular operating systems as Ubuntu (UK) and SuSE (Germany).

Or perhaps you meant mobile operating systems, in which case I would note that the most promising and well-known mobile OS after Android, iOS, and Windows phone (all American) is SailfishOS, which is... Finnish.

So the US is definitely on top, what with all the software tech giants being based there, but Europe seems pretty relevant.


I was thinking more alongside of mobile systems, true, but I never heard of SailfishOS. I think it's pretty irrelevant in the market right now.

Also FOSS software can't solely be attributed to the one guy who started it. I would say the Linux Kernel is global and it took a lot from Unix.


Indefinite Pessimism. China and to a large extent Russia are Definite Pessimists.

The US and the UK are Indefinite Optimists while many in US tech are Definite Optimists (such as Elon Musk.)

Cultural attitudes about the future of our world has a huge influence on the type and velocity of innovation.

Those are generalizations, but just compare investment philosophies of various countries. EU: with a few exceptions that prove the rule, very conservative, less likely to back 100x technology innovations, more likely to back 2x innovations that have low risk and low reward (but enough reward to make a return.)

Russia and China: more likely to invest in keep-up technology (me-too stuff) that promotes domestic stability — much more defensive investing to promote Juche ideas. North Korean “tech” is the extreme example.

US: willing to bet huge on low percentage, future changing tech (speaking of the Valley specifically,) while much of the rest of the US tends to be closer to the EU in terms of risk tolerance, with notable exceptions.

You won’t have an EU investor funding self-driving cars generally and you won’t have a Valley investor funding incremental 2x tech (generally.)

All countries have visionaries and innovators, but due to who controls the finances (and tax policy,) most of those future Elon Musk types are shot down before they even get off the runway.

Exceptions abound of course, but that’s my general take.


The Europeans were developing one of the most interesting secure distributed platforms 10 years ago as part of the European Multilaterally Secure Computing Base initiative, but it appears to have gone dark. Maybe funding priorities shifted, or the technology was deemed to be something that shouldn’t be open.


Most of the countries had a local one.

Being local ones, they didn't have the same network effects like the US ones. Some of them still live, though.


also: Czech Republic has seznam.cz , which makes a big difference in their market


Poland has several, but none can match the juggernauts


Well there were the Snowden revelations of the PRISM program which apparently had all the major US tech companies onboard. So it’s highly probable.


>Way down this thread, so time to ask the question: Do American anti-virus, social media, and search companies do exactly the same, but for the US military?

Is the Pope catholic?


> I've always found it suspicious that Russia and China created their own social networks, email providers, and search engines.

Yandex search predates Google.

Not to mention that the quality of it's search in Russian had been much better than Google's until at least 2010, as a Russian when I needed to search for something in Russian I didn't bother with Google because their search results were visibly much worse.


Facebook has CIA related people on its board.


That's true. At least in the beginning, there were some people near the CIA on the board and some of the early investment funding came from entities close to the CIA.

However, that's a very old story, I doubt that there is much of a connection now.


While it's quite plausible CIA has penetrated Facebook, the interference is very unlikely coming in through the board meetings.


Source?


Really? Which ones?


Poster is probably referring to Peter Thiel who's company Palantir was funded through CIA contracts.


Care to expand on the "theft and premature release of Stuxnet by Israel"? Most information seems to point to it being a joint US-Israeli creation or even primarily Israeli.

We do know for a fact that US General James Cartwright pleaded guilty to leaking Stuxnet. And then got pardoned by Obama.


No, he pleaded guilty to making false statements, not to leaking Stuxnet. More specifically, he admitted to providing classified information to reporters in 2012, over a year after Stuxnet was identified.

Now, whether or not he was guilty of more than that, I don't think we know, but that's often the nature of plea deals.


Good catch, sorry about the fake info!


for example The Equation Group (https://en.wikipedia.org/wiki/Equation_Group), which wouldn't be an organic part of the function or activities of a normal civilian cyber-security company.

While your basic point might be correct, this part is absolutely false. All major security groups actively research all APT groups, no matter where they are from.

For example, here's a 2015 report from (US Company) FireEye[1]. Page 11 talks about the Equation Group (as well as the UK-based Regin group).

It is worth acknowledging that Kaspersky was the first company to identify and name the Equation Group. However, this is likely to be because of the geographical overlap of activities: Kaspersky provides defensive support in Russia and the Middle East where the Equation Group is most active.

This is exactly the same as how Mandiant/Fireeye identified ATP-1 and Cozy Bear/Fancy Bear: they get called in to investigate breaches in the US where those state-supported groups are most active.

[1] https://www.fireeye.com/content/dam/fireeye-www/company/even...


> Kaspersky has been known to collaborate with the Russian government and promote Russian interest

I would like to see some actual evidence of this, instead of just allegations.


How else can you explain their obsessive occupation with The Equation Group, which they themselves claim to be a (US) state actor, targeting other (US-unfriendly) state actors?

https://en.wikipedia.org/wiki/Equation_Group

An ordinary anti-virus company would never get involved in state-vs-state cyber warfare, let alone pour tons of money into researching it. How does that support their business model?

Do you think it's normal for a commercial company to spend so much time, money, and effort researching areas that have nothing to do with their core business, and will likely get them in trouble with their customers and antagonistic governments?


Are you saying state sponsored malware should not be looked into?

It seems like American companies tend to find Russian state-sponsored malware and Russian ones keep finding US/US allies-sponsored malware.


And in addition Israeli hackers keep on finding malware in locations they've hacked into..... hmmmmm


I could make the very same argument against CrowdStrike, which has been focusing on uncovering Russian cyber attacks. Also here's some "damning evidence", too:

“There’s a Balkanization of cyberspace that’s occurring, and companies need to choose which side they’re on,” said Dmitri Alperovich, co-founder of U.S. security firm CrowdStrike.

http://www.reuters.com/article/us-media-tech-summit-flame/so...

Sounds to me like they've "chosen a side", like you're implying Kaspersky has.


This is a lot of BS. Kaspersky have also documented Russian government malware, so that is one nail in a very weak argument.

Having a lot of experience in this space, no loyalties to Russia, and all loyalties to the US, if anywhere, I strongly disagree that there has ever been any meaningful current or historical link between Kaspersky and the Russian government.

Posts like this do not seem to be informed by actual industry experience and those speculations are not even agreeable to those who are suspicious of Kaspersky. You're sharing a lot of FUD.


Well, it makes perfect sense to use Kaspersky then, if you're worried about the NSA. If you're more worried about Russian industrial espionage, on the other hand, e.g. as a US company with trade-secrets, you should probably better go with a US product.

For most private citizens that aren't of particular interest to the Russian government (e.g. aren't politicians, activists, dissidents), Kaspersky seems like an excellent choice.

Every AV product will be defeated by a targeted attack anyway.


Even if Kaspersky still fits your threat model (and it might), this revelation is still an existential threat, and if you use Kaspersky for an institution it's probably a good time to explore alternatives and have a plan for what to use if Kaspersky goes under.


Failing to find Equation Group tells alot about american antivirus companies as well. Who else they are hiding?

Kaspersky, Snowden, Positive Technologies(which are also russian) are doing great service to community. Cyber weapon is still weapon and people should know about it.


Equation Group were making hacking tools so opposing them is what any decent AV company should do. Doing so they protect all their users around the world.


You could argue exactly the same way against US security firms such as CrowdStrike, and a few others, which seem to focus on uncovering Russian malware.


Our company uses the enterprise version of Kaspersky. But if we drop this over surveillance issues then it would be a pretty hypocritical to switch to AV software from the USA. Since they are proven to do the exact thing that Kaspersky is now suspected / blamed of doing.

So, fellow Europeans, what now? Avast? Any other options?

EDIT: Ok so I found a pretty useful Wiki list[1] with European made AV products. I haven't used them so I can't judge to their effectiveness, especially the enterprise versions. But here are some alternatives to US / RU anti virus suites.

Czech Republic: AVAST, AVG, TrustPort

Finland: F-Secure

Germany: Avira, G-Data

Iceland: FRISK (F-PROT)

Romania: Bitdefender

Slovakia: ESET

Spain: PANDA security

[1] https://en.wikipedia.org/wiki/Comparison_of_antivirus_softwa...


This is purely anecdotal, but back when I was doing a lot of Windows sysadmin work (and when viruses were rampant) I wound up tearing through a lot of AV vendors in short order.

Only a handful survived my tests, and now I see them all listed here as European AV vendors. Interesting.

Symantec, by the way, was by far the worst. It got to the point where I would immediately uninstall their products on sight. My favorite was when one of their automatic updates started causing boot failures. That sure kept me busy!


Hire a team from your native country to manually inspect each packet before it is passed on to the client machines.

This kind of Biological neural network isn't always the fastest approach but you can be sure it isn't forwarding all your traffic to the government.


Network security monitoring is fairly common in competent enterprises.


Your ridicule is misplaced. We truly cannot trust the computers we use, from the silicon up.

To call that paranoia isn't naivity anymore, it's foolhardiness.


Standard intelligence practice is to assume that your information is already compromised. All it takes is a mole, or a disgruntled employee and all the cybersecurity in the world is naught. You'd be foolish to think anything else.


Standard Practice is to have honeypots, and watch carefully who puts his paws where..


> Iceland: FRISK (F-PROT)

FRISK was bought by Israeli company Commtouch several years ago. They wound down operations in Iceland to the point that I doubt any real technical work goes on there.


What’s wrong with Windows Defender?


This is the real answer here. For the only alternatives you're forced to trust yet another party and with something like AV that basically equates to the third party having full control over your machine should they decide to do so. At least with Windows Defender you aren't adding another adversary although it seems pretty hypocritical to avoid American AV while still using an OS that the NSA can push updates to.

Get Windows Ten should have been an eye opener for everyone, vetting updates isn't anywhere close to good enough, if Microsoft is compelled to do so they can run whatever they want on your computer.


Use Linux :) there is no other option


Many open source projects are infiltrated. You may use Linux but if you run on x86 you are already owned.


Not via Linux, but via the IME that Intel puts on every CPU with full access to all memory and the network cards.


One source of entropy in Linux is the RDRND instruction. If you control or predict its output you can do a lot of harm.


It really depends on a lot of the software as well. Linux doesn't inherently trust just the CPU instructions for entropy. In fact, it recently borrowed a new feature from OpenBSD and added it called getrandom():

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...


Like what?


I think a Mac would work too, but that relies on trusting individuals.


How would switching to macOS provide any protection against an APT? Against Malware in general yeah sure but against the NSA or FSB in a targeted attack I don't see how that benefits you at all. If the NSA can put the screws on Microsoft then Apple should be no different. Apple refusing the FBI is one thing but faced with a gag order and an NSL their only recourse is to appeal to a secret court that basically always sides with the government.

Also as of late it seems like macOS has been nothing but security incident after security incident like the recent bug where encrypted disks had a password hint of the decryption password or when somebody found out that the system preferences app was basically using an undocumented API that had no authorization at all and gave root access. Or that keychain vulnerability that gave complete access to the entire keychain to anything running in a web browser!

I think an APT would have a field day if their targets started using macOS.


Everyone who think they are safe using macOS should see this presentation : https://www.youtube.com/watch?v=q7VZtCUphgg

Patrick Wardle has reversed the C2 com protocol and found it had "advanced" capabilities (remote exec, key and mouse sniffing, screenshot, etc.). The malware was found on several thousands Macs too (mostly in the US).


Any suggestion a good tools (good source one) on mac that can scan and detect this kind of malware?


the guy in the video has created a bunch of "osx sysinternals" tools for this exact purpose : https://objective-see.com/products.html.


Apple pays people to "astroturf" that they're immune from Viruses and backdoors. IMHO, that makes them much worse than Microsoft.


Well, nothing's totally secure. You can but reduce the odds of having problems and Macs seem to be hit less. For example in the N Korea hack on Sony the Macs survived https://9to5mac.com/2014/12/18/sony-hack/

>“Some people had to send faxes. They were dragging old printers out of storage to cut checks,” she said. “It was crazy.” ... "People using Macs were fine,” she said. She said most work is done on iPads and iPhones.

Perfect is the enemy of good and all that.


>Macs seem to be hit less.

Yes but my point is that this is completely irrelevant to an APT. When an attacker moves from opportunistic to targeted having an OS with a lower adoption rate isn't going to matter. They aren't going after the most amount of victims possible, they're going after you specifically.


Mac? No!! Apple controls every aspect of your life on a Mac. Linux and especially custom built ISO is your only option for privacy.

Plus if you assemble the RAM and processor by yourself, you never know how much viruses are there in our bootloader!


Linux is secure in the sense that nobody can use it.


Yeah - I agree EU software is the safest option: https://medium.com/@zby/the-safest-option-is-eu-software-abc...


Filter on the benchmarks and then dig into ownership and reputation. Bigger vendors have more to lose and more resources to fight legal and cybersecurity issues. Too big / multinational vendors then get leaned-on by national security services with an “include this and give us customer information or we blacklist you” offer.

https://www.av-comparatives.org/


That is assuming they're not infiltrated, hacked or voluntarily participating of some foreign surveillance/espionage program.


Of those, all but Finland are NATO members.


NATO is a military alliance, not a intelligence sharing agreement. We know that five-eyes intel doesn't go to NATO, and it is pretty doubtful that eg Turkey and Germany share their intel.


It's been shown somewhat recently[1], that German intelligence not just exchanged data with the US, but also collected data for the US services in Germany and worldwide.

[1] https://www.theguardian.com/world/2016/jun/28/germany-curb-s...


Indeed. But this isn't some NATO thing, it's a US/German agreement.


If you must use AV, better look for AV solutions with clear written policies on the information they collect https://www.f-secure.com/en/web/legal/privacy/security-cloud


eset


Article from 2015: "Israel, NSA May Have Hacked Antivirus Firm Kaspersky Lab"

https://www.tomsguide.com/us/kaspersky-hack-israel-nsa,news-...


So, if I understand this right... some NSA TAO employee was doing work on their home computer (???), where they installed Kaspersky AV (reasonable), and Kaspersky promptly identified the malware they were working on as malware and uploaded it?

And then Israel hacked Kaspersky 'cause that's what they do or something, found the NSA development malware, and was like "Hey NSA, you should figure out how this got here"?

This seems like a very different story from any of the Kaspersky stuff I've been hearing. I'm sort of surprised Kaspersky had servers vulnerable to Israel, but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines. I merely work in algorithmic trading, and everyone in the industry is paranoid about code leaving the building (at least one employer I know of straight-up doesn't have a VPN at all, from what I've heard). How is the NSA not as paranoid here?


>Kaspersky promptly identified the malware they were working on as malware and uploaded it?

If the news story is to be believed, Kaspersky was scanning for classified data using US intelligence codewords as a selector.

>I'm sort of surprised Kaspersky had servers vulnerable to Israel

I'm not, everyone's servers are vulnerable. Intelligence agencies can buy exploits. If they want in, they get in.

>but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines.

I don't believe it is allowed. That said controlling access to data is hard, lots of people probably do work at home with classified stuff when they are told they shouldn't.


> If the news story is to be believed, Kaspersky was scanning for classified data using US intelligence codewords as a selector.

Assuming you mean the linked article, it doesn’t say that. It says that Kaspersky uses “silent signatures”, which are supposed to be indicators of malware, but could hypothetically be adapted to search for classified data instead. But it doesn’t allege Kaspersky was actually doing that.

(edit2: But the NYT report [2] does seem to allege that! This reporting is such a mess…)

Apparently, silent signatures are a technique to test new signatures where instead of blocking files with the signature, the AV reports the finding back to a server, allowing the vendor to identify false positives before fully deploying the signature. The question is what exactly Kaspersky is/was reporting to their server. I googled ‘silent signature’ and found a patent [1], issued to Kaspersky, which describes sending only hashes of the executable with the signature. But this article seems to suggest that they were sending the executable in full - at least if the leak of NSA tools occurred via that mechanism. (The article doesn’t say it did, but it sounds like a plausible route for a customer’s executable to find its way to Kaspersky’s network.) If this is the case, it sounds extremely troubling from a privacy perspective even without any intelligence services getting involved.

edit: Actually, I think the body of the patent does disclose sending the whole file to a server, which isn’t mentioned in the summary. The text is a little vague, though.

> If no threat is detected in step 720, statistics regarding the executable file and the frequency of launches of the executable file are collected in step 740. Then, in step 750, the file is downloaded and sent for a further analysis in step 760. After the analysis, either a white list or black list can be updated with a signature of this executable file.

[1] https://www.google.com/patents/US20110126286

[2] https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-...


> But this article seems to suggest that they were sending the executable in full

It doesn't necessarily need to be an executable.

Imagine this filter:

- File type: .docx

- Silent Signature: "TOP SECRET//COMINT//NOFORN"

That means all word documents with:

- the "top secret" classification

- in the "Special Intelligence(ComInt)" area

- marked as "No Foreign Nationals"

will automatically be sent back to servers for review.


Why the heck is a file that says "TOP SECRET//COMINT//NOFORN" on anyone's personal laptop? Isn't that, like, not just a firing offense but also a criminal offense?

Again, in my industry I'm not allowed to take code home with me; I have to remote into work and edit it on my work desktop. And the worst-case scenario of code leaking is basically that a competitor makes money that we would otherwise have made. Can't people who literally have (in their belief, at least) the fate of the free world in their hands be at least this careful?


> Assuming you mean the linked article, it doesn’t say that

It's from the original NY Times article, which is linked to from the WP article.


Pretty much all AV products do this, for "suspicious" files too. Doesn't even need a signature to get collected. This includes non-executables such as docs or pdfs, since those are common 0day vectors.


> ...detected in step 720, statistics regarding ... collected in step 740. Then, in step 750, ...

All line numbers are module zero for ten? Is the code written in BASIC with the anticipation of line additions? I miss my C64!


They also have huge catalogs of 0-days and unreleased exploits, probably, in addition to human intelligence sources within major AV, infrastructure tech companies.


I can think of at least 1 reason why Israel would hack Kaspersky...https://en.wikipedia.org/wiki/Stuxnet#Discovery


>>I can think of at least 1 reason why Israel would hack Kaspersky...

Reason 4512F : Hamas leader uses Kasperky

and so on and on. AVs are in tens of millions of computers and have "license" to go looking for files, to take files out of the computer (talk back to the server) and firewalls let them through because you installed it. What more can you want?


I can't believe nobody else brought this up sooner. This was my first thought.


Perhaps he was doing the bidding of his employers in order to test a theory that Kaspersky was an attack vector?

I mean, this is exactly how you tell if your data has been breached or your source code leaked -- you put fake but unique records in your database then watch the dark webs for folks selling dumps containing those values; and plausible but bogus code containing unique constants then check competitors' binaries against those values.


Real data works too.


Not if your competitors have the same data in their DB.


Acceptable, no. People not following rules, it happens.


some NSA TAO employee was doing work on their home computer

Given that they haven't been charged, it's pretty likely there's more to this story.

Two possibilities:

It wasn't actually their home computer, but it was a non-classified system where code was being move for non-attributable active deployment.

The code was developed or acquired in a non-classified space first.

There are probably more possibilities too. There's some good speculation here: https://www.emptywheel.net/2017/10/06/the-conflicting-homewo...


Given that they haven't been charged, it's pretty likely there's more to this story.

Probably their best employee, his mom died...it was a mistake, a bad one but a mistake. Prosecutorial discretion.


Maybe.

I've been in SCIFs. It would take a lot of effort to make a mistake like that.


No, it's strictly forbidden to access classified information from an unclassified machine. I'm not saying it didn't doesn't happen, I'm saying it's highly against protocol (and the law).


They probably didn't hack anything, they just have people who receive these AV samples as malware researchers. Any intelligence agency worth their money should.

And yes, this is the gist of what's behind all the Kaspersky hysteria. The NSA trying to obscure another extremely embarrassing leak.

Every AV software uploads new detections for analysis. It just so happened that this fool used Kaspersky. It's abundantly clear that behind all the make believe is a mostly incompetent agency that can't keep it's secrets any better than Equifax.


Read the original New York Times story, it gives a lot more technical details on the hack than this one[0]. Assuming the Israeli and NYT accounts are to be believed, this was a very deliberate hack. Israel watched in real-time as Kaspersky sent out searches for NSA codename programs on all computers with Kaspersky AV installed (this was related to the whole Duqu 2.0 intrusion into Kaspersky's network that Kaspersky blogged about 2 years ago). And the NSA tools were some of the files reeled in from those searches.

That said, it's still extremely embarrassing. Why is someone from TAO taking this kind of work home?

0. https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-...


It's the NYT for crying out sake! Unless you believe they have the knowledge on staff to do any sort of original reporting on this, this story is exactly what a "government official speaking on the condition of anonymity" has whispered to them. It's the fricking party line.

It's right there in the article:

    The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.
There are two options here, obviously. Someone revealed actual classified information, in which case apparently multiple government workers committed a felony to tell the NYT about a story that is entirely flattering for the employer they just betrayed. Or, and given the incidence of "government officials .. spoke on the condition of anonymity" in NYT stories the far more likely option, the press office of the NSA called the NYT, whispered some dangerous words about "off the record" and then delivered the official press release that for some reason they just didn't get to put on NSA website just yet.

This is the NYT writing a government press release into a bad thriller guided not by independently verified facts (how could you) but sheer ideology to fill in the gaps.


> Israel watched in real-time as Kaspersky sent out searches for NSA codename programs on all computers with Kaspersky AV installed

That happened _after_ Kaspersky identified the "NSA codename programs" as malware. That is exactly what an anti-malware application should do: look for instances of known malware.


>Assuming the Israeli and NYT accounts are to be believed,

An assumption nobody who knows anything about history will make.


This shouldn't be modded down.

Security services are completely unreliable and release these things for their own benefit. The question with this is why are the Israelis pushing this now?

The NYT has a poor record on this stuff as does pretty much everyone.

WMD.


Basically.

I've seen what now looks like state sponsored bullshit blogs posing as tin foil hatters being posted to HN saying Kaspersky is part of the Russian intelligence apparatus, and that's why the US government pressured stores to remove Kaspersky AV from store shelves, etc etc etc.

Most likely, they did their job, and they did it correctly. The NSA can't really defeat competent AV researchers who aren't even looking at the NSA in the first place.


Whatever the "bullshit blogs" might be (I haven't noticed these stories, but maybe you can provide links?), they're in good company now, because that's more or less the story the NYT, WSJ, and WaPo have developed.


There's not a lot of attribution going on here, though. Take the WaPo story, they just tell us what's possible and leave us to draw conclusions ourselves -

“That’s the crux of the matter,” said one industry official who received the briefing. “Whether Kaspersky is working directly for the Russian government or not doesn’t matter; their Internet service providers are subject to monitoring. So virtually anything shared with Kaspersky could become the property of the Russian government.”

Late last month, the National Intelligence Council completed a classified report that it shared with NATO allies concluding that the FSB had “probable access” to Kaspersky customer databases and source code. That access, it concluded, could help enable cyberattacks against U.S. government, commercial and industrial control networks.


Kaspersky is pretty well known to have a close relationship with the Russian government, though. Hell, Kaspersky himself used to work for Soviet military intelligence. There's several articles cited here: https://en.wikipedia.org/wiki/Kaspersky_Lab#Allegations_of_t...

I'm not saying Kaspersky is a part of the Russian intelligence apparatus, but I wouldn't trust them to report on Fancy Bear campaigns, nor would I trust their AV software if I were a particularly juicy target.


> Kaspersky himself used to work for Soviet military intelligence

This is straight up not true. He studied at an institute that was administered by the KGB.


They are not known for any such thing, and Eugene did not work for military intelligence. He has addressed this many times.


The DHS is "tin foil hatters"?

https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-b...

> The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.


> The DHS is "tin foil hatters"?

Yes?

To be fair, that is kind of their job. I don't suppose their precept says that they should be paranoid and believing in conspiracy theories - in those exact words. But, that seems to be how it is manifest.


I guess Kaspersky is rumoured to be to the Russian government what Apple / Google / Microsoft / Facebook are proven to be to the US government.

Secret FISA courts rule away all of your basic privacy rights? Fear not. Russia is the enemy.


Correct. Russia IS the enemy.

Secret warrants by a secret court is also the enemy.

One is just more important and dangerous than the other (look out of the window).

Perfect example of whataboutism BTW.


Russia is the enemy of the state, not your enemy. The state also thinks of you as an enemy. You really shouldn't be afraid of a foreign state, your state is the only real threat to you here.


But Russia can and would turn against you if they thought you could be useful to them. You should be afraid of both.


Except Russia doesn't give a rat's ass about little you. The NSA on the other hand...


>One is just more important and dangerous than the other

Not if you're not American. The American government has shown it doesn't care at all or stop at anything to promote its self interest through American made software outside the US.


I wrote on this before.

Somebody is going to be on top.

Would you rather have US, Russia or China be the superpower?


How about none of them? Your premise is wrong.


> Russia IS the enemy

In what sense?


In a very direct sense.

It's a de facto totalitarian dictatorship. Its proliferation harms human rights, poses real danger to Ukraine, claims lives. ( https://en.wikipedia.org/wiki/Casualties_of_the_Ukrainian_cr... , corruption also claims lives https://www.youtube.com/watch?v=3eO8ZHfV4fk )


You could say a lot worse about many US allies. Saudi Arabia anyone? Human rights are irrelevant when the US government decides who is an enemy and who is an ally.


But you could say much of the same about the US.


Much of the same?

Do you refer to military intervention in Iraq, Afghanistan, Yemen, Syria, ...?

Do you dispute that these countries/areas are/were different from Ukraine?


No you couldn't. This is from the point of view of the US state. The US is not a direct enemy of the US.


You are right. It's not so black and white.

One fact you can't argue with is Russian government is telling their people US is the enemy.

Follow @JuliaDavisNews . She posts gists of Russian state-controlled TV.

If it's not US, it's EU/NATO/gays/"democracy" (I'm not kidding you about democracy)


When has the Russian government ever said the US was the enemy? The only saber rattling sound is coming from Washington.


Israel (Mossad?) can hack something in Russia, see tools and recognise those tools as top secret NSA gear. Do you wonder how they made that recognition? Were they shared with Israel so they knew, in which case the source could have been Israel being hacked, right? Or they knew because hacking the NSA is something multiple nation states have done. I'd be completely amazed if the NSA wasn't absolutely full of spies acting for foreign powers and organised crime.

At this point should you just fire everybody in the NSA and start again? If not, why not? I'm struggling to see genuine competence in improving the security of Americans amongst the constitutional attacks on the citizenry, attacks which most definitely have the opposite effect.


I can look at a Git commit and tell you exactly which of my coworkers wrote it without looking at %cn. Code has style, like spoken language has accents.

One could argue that e.g. German spy tools copy the American style so that those decompiling it will think it is American. I argue that is a lot harder that it sounds. Code style is much deeper than whether or not to use braces around lone if clauses. The whole way of thinking, layout of data structures, use of getters/setters or properties, breakdown of what goes where and into which classes, breakup of large methods, etc etc etc. These signatures and many more give one a feel for the software's origin. Not proof, but a very solid foundation for suspicion.


You might find De-anonymizing Programmers via Code Stylometry ( http://www.princeton.edu/~aylinc/papers/caliskan-islam_deano... ) an interesting read.

I suspect that coding style guides are detectable in compiled output too.

As an aside, a bit that caught my eye here:

> This material is based on work supported by the ARO (U.S. Army Research Office) Grant W911NF-14-1- 0444, the DFG (German Research Foundation) under the project DEVIL (RI 2469/1-1), and AWS in Education Research Grant award.


>I suspect that coding style guides are detectable in compiled output too.

I strongly doubt that (while I concur that source coding style is often recognizable).

More or less a decompiler (when it works properly) attempts to interpret the machine code and translate it into the source. In order to do so, it must have some "templates" corresponding to regognizable "patterns" in the code, so the source derived from the decompilation will reflect these templates and not the "original".


Israel is listed as an "observer" in the Five Eyes alliance.

So yes it's quite likely that the US et al have shared assets with them.

https://en.wikipedia.org/wiki/Five_Eyes


Governments never fire spies. They move them to reserve and pay them good pensions.


Kaspersky Finds New Nation-State Attack—In Its Own Network

https://www.wired.com/2015/06/kaspersky-finds-new-nation-sta...

"There was one victim, however, that didn't fit the profile of other targets. Raiu says this was an international gathering for the 70th anniversary of the liberation of the Auschwitz-Birkenau concentration camps"

"But perhaps the most interesting targets were the venues hosting the P5+1 meetings. P5+1 refers to the five permanent members of the UN Security Council plus Germany, who have been in negotiations with Iran over its nuclear activities."


In fine, that NSA is not that super agency filed with very talented n math/crypto/cs people like the majority depict in their mind. They are employing average folks who use average tools and get caught by average issues. The only difference might be that they are educated and trained to be very efficient at doing one very specific job and that's all.


It's the same with any such "mystical" organisation. There are no Hollywood super-humans anywhere. It's regular people cooperating and doing their jobs all the way down.


Part of the problem is the push to let the "free market" fix the government, to outsource many facets of the government to contractors. This has led to corruption and fraud amongst the contractors:

http://investigations.nbcnews.com/_news/2014/01/23/22401812-...


They're similar to Google/Apple/Facebook in that regard. Sure there are some great people there, but most devs are just going to be average.


I can't recommend Empty Wheel enough for in-depth analysis on these stories. For example: https://www.emptywheel.net/2017/10/11/on-the-kaspersky-hack/

These stories still are almost certainly revealing just a fraction of the story. All ignore Kaspersky’s reports laying out US and allies’ spying tools (explaining why Israel might hack Kaspersky and share the details, if not the work). And the most logical explanation for the FSB démarche is that Kaspersky — as they said at the time — reported the hack to their relevant law enforcement agency, which is the FSB, who in turn yelled at the CIA.

See also: https://news.ycombinator.com/item?id=15441516


It would be really surprising if Kaspersky survived this.


If he is forced out of the antivirus business then he and his staff could potentially do blackhat stuff. I suspect that everybody would loose from such a development - because a very competent guy he is. (one is supposed to think in terms of capabilities when thinking about security related stuff ;-)


We saw a similar situation with the Russian rocket and nuclear scientists who lost their jobs after START I. Many of them started providing knowledge to rogue states and in at least one incident, to a private 'organization'.

One would hope that we are more careful with removing Kaspersky and his brilliant employees' legitimate professions this time.


Do you mean the company or the man?


The company. The man will be fine.


Why would they be done for? If they are basically funded by the FSB then they can't really die, no? Or is it more that it's over to them wrt running in the USA in general


They are not funded by the FSB. Not even Washington thinks that. They're a very successful multinational antivirus company, and they make one of the least bad products in that space.


Russian institutional and government contracts are their major revenue stream. There is about 0% chance for any Western company winning any of those, regardless their technical merits.


In the case of McAfee, the man and company both have terrible reputations. And quite frankly deserve them


Tell that to McAfee


What about McAfee? He divested from the software/company shortly after it was created. He has a colorful personal life, but I doubt that has much of anything to do with the software that he hasn't been involved with for a around 2 decades.

(Other than the software made him rich/a minor celebrity.)


> He has a colorful personal life

I think the gp was referring to what accusations people have made of McAfee since he sold the company.

Showtime aired up a documentary[1] about him. I think "colorful personal life" can only be interpreted as a euphemism since he was accused of murder, rape, running a local armed gang, fleeing the country from the police, etc.

I have no reason to believe Kaspersky will have similar issues as I suspect McAfee was eccentric from the start.

[1] http://www.sho.com/titles/3437264/gringo-the-dangerous-life-...


No euphemisms here. Perhaps you are unfamiliar with this definition of colorful?

>Involving variously disreputable activities.


He also ran for POTUS as a Libertarian.


He was born in Scotland so that was never going to work, lol


Born on an Army base to an American father. John McCain was born under similar circumstances, Ted Cruz and George Romney were both born abroad and neither was seriously considered disqualified. The only difference between McCain and McAfee afaict is both McCain's parents were US citizens at the time of his birth. That may be relevant, that part of the law can change, but simply being born oversees doesn't stop a person from being a "natural-born citizen".


Didn’t know that, cool!

I’m not American so not that clued up on the specifics.


Its a common misunderstanding among Americans "you have to be born in the US to become president." I'm not sure where that came from but it's not exactly true. The Constitution says you have to be a "natural born citizen" to become president. "Natural born citizen," however, is not defined.

IMO, I think the reason it wasn't defined is because the meaning is obvious, there's two ways to be a citizen, - by birth ("natural") or by naturalization.

Tons of discussion on the topic here: https://en.wikipedia.org/wiki/Natural-born-citizen_clause

As mentioned above, Ted Cruz was a serious contender for POTUS yet was born in Canada as well as George Romney, who was born in Mexico. Those two about as close as we got to "settling" the issue.

John McCain was born in the Panama Canal Zone which, at the time, was an unincorporated territory of the United States. Does that "count" as being "the United States" if you're going to interpret "natural born citizen" that way? People may disagree. They also may disagree if military bases "count" the same way as the Panama Canal Zone. https://en.wikipedia.org/wiki/Panama_Canal_Zone#Citizenship

US Senate passed a non-binding resolution that McCain was a "natural born Citizen" of the United States.

There have been several Presidents who have one non-citizen parent, the most recent being Barrack Obama.


Hah. If anyone can figure out what category of people McAfee is a bellwether for, I'd like to hear it.


Good riddance.


What was so bad about Kaspersky that you consider it good riddance? I recall reading about legitimate good security work and breach investigations from them just a few years ago. It's not like anybody forced you to use their software.


I agree on the high quality research etc but personally I dropped Kaspersky products for the same reason as the original Norton Antivirus products, they became obnoxiously loud with unnecessary notifications. Kaspersky ramped up their annoying notifications that I went from recommending it in small corporate environments to not even mentioning it.

Antivirus/antimalware is incredibly important, but it should generally be silent and protect a system.


For whatever it's worth, my employer forced me to use their software. My 2015 MacBook Pro would regularly grind to a halt. We recently switched, hopefully for the better.


The fact that they collaborate with the Russian gov't secret services.


You mean you can't even stand their mere existence even without ever actually touching any of their products? Note that I'm not asking why you're not installing their antivirus, I'm asking why you don't want them to exist...


I don’t because they are collaborating with a fundamentally dictatorial gov’t.


If you want a slightly more nuanced understanding of Russia, I found this quite good as a crash course to why Russians like Putin:

http://www.bbc.co.uk/iplayer/episode/b097l4s7/russia-with-si...


Are you referring to the US Deep State? The one who has secret FISA courts and secret laws to protect the NSA?


Yeah, and Israel too in Russia.

I mean what could happen from here. Even if NSA get evidence that their networks were hacked without doubt, which is a hard thing in itself as there are thousands of vectors and even harder is to say that it had been directly done or funded by Kaspersky, they are likely not going to expose themselves in court. Israel has even bigger reason, considering Kaspersky has at least some relation to Russia.

Also, there is evidence that NSA attacked Kaspersky first, which gives them a very good reason to carry out a counter attack to secure themselves.


What does that even mean? A "counter-attack to secure themselves"?


What is the timeline on this? If Israel knew this in 2015, why is Kaspersky tools just being banned in the US now? Was this only shared recently?


> If Israel knew this in 2015, why is Kaspersky tools just being banned in the US now?

Now that is an excellent question. Why didn't the Obama administration do more to protect U.S. government computer systems from this threat?


Note that Windows Defender also uploads files on scans which is opt out.


All the mainstream endpoint protection software does this, so if you're going to run it at all --- don't --- you're going to have to pick which company you trust not to do what Kaspersky apparently did.


This makes me curious. How many companies in the Fortune 500 are going without AV software on their Windows PCs? AV software surely is crappy, but it still seems to be standard within a big majority of the large corporations.


Not just that, but Microsoft has close ties to the US government!


Perhaps he/she had the data on a SAN while performing development from a more “secure” computer and one of his personal computers with AV installed was connected to the same SAN. A likely scenario as far as scenarios go.


One other possibility is that Kaspersky stole nothing, that it found the malware on computers it was tasked with protecting. And one should wonder did they add signatures to their A/V product to find and protect against this malware or not?


NYT:

Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

As reported, this isn't incidental collection.


That paragraph reeks of either journalistic license or a journalist who doesn't seem to understand what antivirus does.

Every antivirus program aggressively scans for malicious programs and sends them back to the security firm for inspection and creation of fingerprints. If the collection wasn't incidental, what mechanism could the FSB exploit to non-naively identify tools that it didn't already have, and flag them for retrieval?


Your comment doesn't really say anything. Obviously, most AV software relays files back to the AV vendor's servers. But that's not what this graf implies. The graf suggests that Russian hackers are sending selectors down to the installed base of AV software to retrieve specific files, and that, once they obtained files that way, they passed the files on to Russian intelligence.


You seem to miss the part where I say

>If the collection wasn't incidental, what mechanism could the FSB exploit to non-naively identify tools that it didn't already have, and flag them for retrieval?

Emphasis on "non-naively." Antivirus seems like a highly ineffective tool for espionage of the sort being claimed in the article. You either have to blindly fish for something or already have a fingerprint of what you're looking for.


Obviously, they have fingerprints of what they're looking for.


To have a hash of a file, you need the file (or a large portion of the file), especially in the context of antivirus, which searches for very specific files and needs to have a very low false positive and false negative rate. Consequently, they would already have to have the tool (or a large portion of the tool) to find it and retrieve it. A little non-productive, don't you think?

Saying that they "obviously have fingerprints of what they're looking for" is an active attempt to make the events fit a narrative.


The thing I don't understand about allegations like this is that, if true, why in the world did the US not take up Kaspersky on its offer of complete source access?

Scans are executed client side using client side heuristics. And so what is or is not sent back would be contained within the client. It could be trivially verified that the source code they proffered compiles to the product at the time. And so it would also contain clear evidence whether or not the company's product was collecting and reporting data on software/documents/etc outside the nominal domain of its purpose.


You need more than the source; you need the selector/signature configuration at all times the program was running, and the total state of every update ever applied to every running instance of the software.

The US already has Kaspersky's source.


AV use other methods, except for signatures, for example running code in the sandbox or heuristics. If the malware was not obfuscated then it could be detected even without signatures.

But of course if I were installing an AV product I wouldn't like it to send my files anywhere.


Why would anyone unaffiliated with NSA be alarmed that its tools had been breached? What legitimacy does it have at this point? Serious question.


The NSA is angry that their toys were lost because of their incompetence of using a tool that was just doing its job (to find malware) on a system that also hosted their secret toys. They're even more angry that they didn't notice themselves so their buddies from Israel had to tell them. _That_ must have burned.

Since the cover-up among relevant folks failed, and since Russia is slowly elevated to "not really friendly" status again by the US gov't, there's a great opportunity by the US deep state to send a big f*ck you to Kaspersky for their impertinence of doing their job.


> The NSA is angry that their toys were lost because of their incompetence of using a tool that was just doing its job

That is not true at all. The software was run on an employee’s home computer, who had illegally brought classified content home.


Israel is not unaffiliated with the NSA.

They are a trusted ally of the USA and an observer in the Five Eyes alliance.


It's valuable information that can be used to either secure a future favor or serve as a quid pro quo for a previously extended favor.


Intelligence sharing..


Which antivirus should I use? "Find & Replace" Kasperskey with McAffe and FSB with NSA, you end up with American 3 letter agencies that have all your data. Every company has a home country, and every country a rule to decipher data.


What a wonderful Orwellian world we live in! Government agencies that develop dangerous hacking tools which end up in the wild are the good guys and the anti-virus company who finds them out is the vilain of the story.


At this point you just assume that any sufficiently large company based in Russia with capabilities of misusing their power in a way to profit Russian state government will be coerced into doing so or go out of business at some point. Russian thugs have no issues applying pressure till the victim collapses or agrees to cooperate even against their interests. I lived in Russia for 25 years and I saw that happen many times.



If your company is in Russia, China or the US, and the government in that country has any interest in the data you collect, you will have to give it away. In Russia and China they just do it, in the US it's a matter of "National Security". I'm not sure why this would surprise anyone - maybe because most of us are on the side of the latter.


Russian and China coercion are on a completely different scale, and we all know it. Especially after the Snowden backlash.

Imagine any major Chinese IT company pushing back against government requests like Dreamhost did. Even the biggest ones can't/won't. It helps that the government is a huge investor in most of them, of course.

"Chinese IT company rebuffs government demand for user information on its website". This headline does not exist.


In this article and the nyt one they are actually saying US is doing it and it's not even a secret. Here is a quote:

"The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries."


That is not the same thing. The fact that they've exploited AV does not mean that they coerced an AV company into installing 0day for them. Those are very very different things.


Ok, four questions:

1. Is hacking into a foreign AV company by a state an OK thing to do?

2. How do we know the anonymous source is being truthful?

3. If yes to the first two, are we certain that it wasn't exploited but was coerced?

4. If all of these things are true and they were coerced, what is the practical difference for the party being monitored?


The difference is that in theory, you can make secure software in the US that hides information from the gov't. For example the secure enclave on newer iPhones. Of course, if you don't make secure software, they will get exploited by security services.

In China it is not even theoretically possible because the gov't mandates backdoors and can easily shut down your company if you don't comply. You have way less recourse on rule of law.


You are absolutely right that we don't know any of these things for sure. My point is not that we know them for sure. Simply that, as written, the article does not claim the US to have done something morally equivalent to Russia. And to my knowledge, there is no evidence that the US has done something like that, either.


Even if US government doesn't have such power as chinese (though I doubt they don't have) there still can be a motivation for US companies to cooperate because it can be mutually beneficial (for example, a company in exchange can get some contracts or some changes in legislation).


A lot of that is because Russia and China don't feel very secure compared to the US for various historical/geopolitical reasons. The US govt is known to act ruthlessly when it feels there's an existential threat.


Feel like this is moving goalposts, especially given the context of this discussion (IT corps protecting their users from the government).

Think about the fact that the FBI had to actually get a warrant to even begin talking to Lavabit. They had to actually go through bureaucracy. It was not instantly handed over to them on request.


But they have successfully shut down the Lavabit as a result.


As a Ukrainian Jew, the idea that Russia doesn't act as, if not more, ruthlessly than the U.S. is pretty laughable.


As an Arab Muslim, the idea that the US is any better is laughable.


You must not live in Afghanistan.


As a Turkish atheist, I cannot even express my feelings on the Internet.


The Soviet Union committed far worse crimes up to the 1950’s. The US did far worse (Vietnam, Iraq, many other wars) since WW2.


The Russian government is presently bombing hospitals in Syria.


Sure. So did the US in Mosul.


Arrant nonsense


You've been breaking the HN guidelines by repeatedly posting uncivil and/or unsubstantive comments, and also by using HN for flamewars and ideological battle.

We ban such accounts that do these things, so would you please read https://news.ycombinator.com/newsguidelines.html and stop?


This is a gross false equivalence.


Yes. I find it annoying in these threads how people refuse to acknowledge that we have much stronger rule of law in the west. Even though it's flawed and abused, every rational actor prefers our system.


> we have much stronger rule of law in the west

Domestically perhaps, but not when it comes to international law (eg. sanctioning torture, extrajudicial killings, drone strikes, illegal invasion etc.)


> Domestically perhaps, but not when it comes to international law

One of these is a thing with courts, enforcement mechanisms, et cetera. The other is really only relevant for preventing war between global powers, i.e. the Security Council.


>I find it annoying in these threads how people refuse to acknowledge that we have much stronger rule of law in the west.

No we don't. We have a stronger belief in the rule of law, but not an actual practice of rule of law. It's been getting worse and worse over the past two decades and at this point I see little difference between any particular western government and Russia's.

If you haven't noticed it, you've been willfully ignorant.


> at this point I see little difference between any particular western government and Russia's

There is quality research in measuring, quantitatively and qualitatively, the rule of law [1].

While disagreement abounds around methods and data, it's pretty universally observed that the rule of law in Russia is worse than that in the West.

https://www.researchgate.net/profile/Joseph_Bajjalieh/public...


The parent comment is probably right. In Russia even election results are forged by Putin supporters.


How is the Lavabit case an instance of the government misusing its power? The government got a court order to monitor the metadata of an account of a user that they had probable cause to link to a crime. (The alleged criminal had already admitted to the crime.)

Lavabit had previously complied with search warrants to obtain data for users suspected of dealing in child pornography. https://www.docketalarm.com/cases/Maryland_District_Court/1-...

When Lavabit delayed implementing the monitoring they had agreed to, losing forever the ability to collect data generated during that time, only then did the government effectively put them out of business.


Well, fair point. My bias may come from the fact that I see NSA domestic surveillance as grossly unconstitutional as well as an undemocratically implemented abuse of state power. I suppose it's useful to ask at what point can the State grant an order that is illegitimate, if this isn't one of those cases? If Putin has a court order drafted to do his dirty work does that make it any more legitimate?

Maybe Snowden broke laws, but every single person breaks some frivolous laws every year of their life that they can be prosecuted for, see The Intercept source I posted on this.


Should we be afraid of tools like Intellij as well? I have been looking into Kotlin, and really like it so far, but the idea of a backdoor getting added to my apps by the compiler of the language is straight out of a nightmare.


Just decompile your built JAR files and go through the source code yourself if you're worried.

http://www.benf.org/other/cfr/

Also JetBrains is based in Czech Republic not Russia.


JetBrains is registered in the Czech Republic but most development takes place in St Petersburg.


Couldn't you say the exact same thing about any company in the United States? Instead of thugs we have payoffs, secret warrants and courts.


Lavabit.

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: