The article contains a useful recap of the evidence so far regarding this particular Kapersky issue, but the news is Kerpersky's denial. I don't take the latter to mean too much either way; when you get into the world of intelligence, plausible denials are the norm, and corporations practice it pretty commonly too.
Of course the U.S. government had to remove Kapersky from its computers. Russian intelligence has been very aggressive; the U.S. can't assume they'd pass on the opportunity to utilize an opportunity this good: Antivirus is widespread and highly invasive - a confidentiality (and even integrity) violation utility, with access to all data and code on the system, that the user helpfully installs for you, and it comes with built-in remote updates and communication that the user fully approves of.
What I find hilarious about this whole story is that the US government allowed highly intrusive software from a non-allied country on government machines in the first place. It seems fairly reasonable to restrict software on machines that potentially hold confidential information (incl. e.g. patient data, payrolls) to software that is produced in the same country or by companies of close allies, or at least by companies who agree to some auditing.
Yet allowing anything seems fairly common practice, even more so outside the US. I wonder how many government employees of countries other than the US have Gmail accounts and put all their documents on Google docs, etc. Not to mention online backups which tend to be more expensive for servers located outside the US...
I don't know what the particular condition with Kaspersky and the US government was, but I work for a non-US based software company that has multiple special contracts with the US Federal Government; we have a special build of the software which was remade piece by piece on US soil, meets some Federal encryption guidelines, and our support is very strict on who can do what with any Federal Government account.
I'm not sure if this is common place or not, but I was under the impression that if you were from outside the US and wanted to land Federal contracts, you had to be ready to bend over a bit for the US Federal Government. No other government gets the same treatment currently.
> Also, the US Government was recently found to have fake Kaspersky SSL certs.
This is not true. An old commit for a leaked implant included example client certificates, which were invalid and self-signed, used to disguise C2 communications as anti-virus updates to avoid scrutiny. Part of the system involved copying fields from valid certificates into self-signed (invalid ones) so the traffic would not look suspicious.
If they actually had fake/spoofed SSL certificates valid for Kaspersky’s domain, that would be entirely different.
Of course the U.S. government had to remove Kapersky from its computers. Russian intelligence has been very aggressive; the U.S. can't assume they'd pass on the opportunity to utilize an opportunity this good: Antivirus is widespread and highly invasive - a confidentiality (and even integrity) violation utility, with access to all data and code on the system, that the user helpfully installs for you, and it comes with built-in remote updates and communication that the user fully approves of.