For context (that of course is buried far from the title), Kaspersky is a Russian company and Apple, being an American one, is subject to the embargo and sanction list of the USA:
> While Kaspersky is a multi-national company, it was founded and headquartered in Russia, a country the United States has heavily sanctioned due to the war in Ukraine. This could severely restrict financial transactions between U.S. companies and those in the region.
> Additionally, per Apple Security Bounty’s terms and conditions, “Apple Security Bounty awards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.”
> Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation.
I just don’t get why Apple wouldn’t cite the law if that’s the reason? Surely doesn’t look good on them if they’re just holding back bounties for undisclosed reasons.
> I don't think it has any benefit for them to explain why.
It clearly has. There are lots of hackers and security researchers who will make very different decisions depending on if they expect Apple will honor their bounties. Traditionally, people who report security bugs have been treated poorly, and arbitrary rejections certainly helps move the incentives towards the exploit market instead.
Yep. Despite the Hacker News peanut gallery essentially yelling “debate me!”, exposing the public to these specifics has never been part of Apple’s MO.
Violating OFAC sanctions can result in extreme consequences, including prison for up to 30 years and fines in the millions of dollars. It would be prudent and reasonable for Apple to do nothing rather then to do something that invites this type of inquiry. To do nothing invites, at most, a de minimis amount of reputational risk.
Yes, of course, they can't work around OFAC sanctions, but donating the bounty to a charity would probably have been 100% fine, and a show of good will.
It's not the first time we've seen Apple not playing nice with their bug bounty programme, so it's something of a pattern of behaviour. "A show of good will" is exactly what they need.
“probably fine” is not the comment I would’ve wanted from my lawyer. There are tons of ways this could’ve gone south. For example, which charity? What if Kaspersky benefited from a tax break as a result. Etc. etc. why take a chance?
That would be seen as payment to a sanctioned entity, right? Just because you donated the award to charity doesn’t mean it isn’t considered a transaction on behalf of a sanctioned entity.
If they money didn't flow through Kaspersky (the wording here of "Kaspersky" donating it vs Apple donating it is weird) and it was donated to a neutral charity (say, red cross or Médecins Sans Frontières), I don't think anyone would raise an eye on it.
I think you’re underestimating the risk - it’s clear (to me anyway) that you cannot move money around at the request of a sanctioned entity; even if the money doesn’t “flow through” them, influence, goodwill and connections do - all of which are reasonable attack vectors for the sanctioned entity (Russia).
Any potential downside far outweighs the upside. Apple does not want to get on the State Department’s shit list, period, and certainly not to do goodwill efforts for the Russians.
I don't understand the Apple's reasoning. Keeping Kaspersky on side ought to be top priority for next time it happens the info might not be so forthcoming. Apple could easily dispose of the money in ways that showed it would pay if it could. And, to Apple, the amount isn't even small change.
Apple runs on PR and it would be very easy to lose control of the narrative. It’s a touchy subject and the nuance here revolves around things the average news consumer probably lacks context on.
There’s a very real chance that headlines of the variety “Apple makes donation to charity to pay Russian hackers” float around. It’s not even wrong (though it lacks a lot of context).
I’m doubtful Kaspersky is even that mad about it; they knew they weren’t getting paid at the outset.
Does it seem unusual? What is your usual experience with organisations based in a sanctioned country asking for a donation to charity in lieu of a bug bounty payment? It sounds like you have an interesting and unique perspective to share.
I've always felt sorry for Kaspersky. The leadership seems to have put together a company that's about as ethical, in culture and in the general sweep of its actions, as you can ever find in the industry. Their products tend to be in the upper tier in terms of delivering what they promise. They try to behave like "good citizens".
But the company constantly gets squeezed between trying to fight obnoxious demands from the Russian government (including, I suspect, by not expanding into businesses where those demands would be un-resistable), and trying to fight suspicion from everybody else.
Kaspersky's founder is known to openly work for KGB.
> At the age of 16, Kaspersky entered a five-year program with The Technical Faculty of the KGB Higher School,[14][15] which prepared intelligence officers for the Russian military and KGB.[6][7] He graduated in 1987[14] with a degree in mathematical engineering and computer technology.[3][7] After graduating college, Kaspersky served the Soviet military intelligence service [5] as a software engineer.
George Washington was "openly" in the British colonial forces (and for that matter Robert E. Lee was in the Union army, and Mao Zedong was in the RoC revolutionary army).
I knew dozens of people in my computer security career who'd "openly" been in technical branches of the (mostly US) military, or done classified work for defense contractors, or in a few cases who had worked for outright spy agencies (on what I do not know). Maybe a handful of them might have still been not-openly working for those agencies; most almost certainly were not.
Many of them were still obviously sympathetic to those agencies' agendas. That did not necessarily extend to helping them out in any way (although sometimes it definitely did). A few sure seemed exactly the opposite, and if they were in deep cover, they probably could have served that goal better by just keeping their mouths shut. In a few cases they helped to build organizational or technical structures that clearly would have made it harder for anybody, including the agencies they'd previously worked for, to subvert their new employers' security guarantees.
So, 35+ years ago, at 16, Kaspersky took what was probably the only technical education opportunity available to him in Soviet Russia(TM). At maybe 20, he took what was probably the only job available to him. Going by that same Wikipedia article, apparently within a year or two, he moved to private industry (such as it was in that place and time). That included getting an early release from military service (not sure how that interacted with the dissolution of the USSR, which happened at more or less the same time).
That's par for the course.
It is very, very hard to find a person or company in that space that's squeaky clean, has no conflicts of interest, and/or has no ties at all with any government or government agency you might be afraid of.
If it's a large company (bigger than Kaspersky), and has been around a while, there's a real chance that it's released products with all kinds of weird back doors, with and/or without the knowledge of its executive management. Maybe even back doors for multiple competing actors. And at the same time it may release many more products that don't have them.
I don't think Kaspersky (the man) is some kind of revolutionary, nor do I think Kaspersky (the company) is going to openly defy the Russian government. I also don't think that their trustworthiness couldn't change at any given time. I do think that they're at least averagely "good". And I think that they get way more than their share of paranoia, with tons of people just assuming that they've "always" done things with their products that, frankly, they couldn't realistically have gotten away with doing.
Well put. I like Kaspersky and share the opinion that there's not much they can do but operate within their geopolitical constraints. It's a pity that the world has come to this, but as I'm neither Russian nor American, I have no horse in this race.
I believe you're deluding yourself. Firstly, KGB wasn't the only option available to him to get a technical education, nor the only job available. People joined KGB for ideological reasons, at least those who stayed. Secondly, there's no way KGB is going to forego an opportunity to have a rootkit running on their main enemies' systems. Simple ability to ignore certain malware is already priceless.
If Kaspersky himself wouldn't do it, they would replace him with someone who would. But chances are, Kaspersky would see it himself as a patriotic act.
Even if they could, I doubt Apple wants anything they could be remotely construed as attempting to bypass said sanctions. Even if everything is above board, there’s also the risk of it being used as a sound bite by a politician to sway the public. So however ridiculous it might seem at face value, from their perspective it makes total sense to just not even touch the problem at all with a 10 thousand foot pole
You run a bug bounty program. When you set it up you talked with a bunch of lawyers and they wrote the language saying that you can't run afoul of sanctions. But you'd like an exception so you shoot an email to the lawyer for your organization. "Hey Alice, I'd like some legal advice. I know the law says we can't pay companies in Russia but could we like, you know, set up a shell company that we can route some money through?"
“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job,” Dmitry Galov, head of the Russian research center at Kaspersky Lab, told Russian news outlet RTVI. “Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.”
Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation. It’s not uncommon for research firms to donate bounty payments from large companies to charity. Some perceive it as an extension of their ethical obligation, but it undeniably contributes to a positive reputation within the security community.
“Considering how much information we provided them and how proactively we did it, it is unclear why they made such a decision.”
Galov’s statement is plainly wrong. The very first line in Apple’s bug bounty program terms and conditions states that awards are granted solely at their exclusive discretion.
I'm sure this is all a part of Putin's grand designs. I'm so happy that every single person living on the other side of the Russian border is ontologically evil so I can hate them without feeling bad. /s
Apple’s excuse is poppycock. 10s of thousands of developers in the US use Jetbrains products in the US and pay for them routinely with their debit cards on subscription. Jetbrains is located in St Petersburg.
They should be sued, and also given that such sophisticated attacks are usually the domain of state sponsors, if they dont pay they can be assured that the next one wont be reported to them.
It’s not that strange. During World War 2, many American companies created subsidiaries to allow collaboration with Nazi Germany and Fascist Italy. Companies like Associated Press, Chase Bank, IBM, Coca-Cola, Ford. Those companies that couldn’t do so openly like Coca-Cola just created wartime units like Fanta which were later reincorporated under the parent company after the war. Some companies even received postwar reparations from the government for corporate losses while simultaneously being allowed to profit from wartime business with the enemy.
I don't say it didn't happen before. I know about these occasions and I find it sick how Americans put personal gain ahead of survival of their nation (yes, both in WWII and now stakes were that high).
Those from the West who don't like the truth I'm saying - I am actually Russian, know my country better than you, and I DESPISE every American who supports our regime or just ready to deal with it like with some civilised entity. Fascist dictatorship you deal with has nothing but hatred towards your state and your nation. Every dollar you pay them will come back will to you in form of terror attacks and deaths of your people, directly of through proxy conflicts.
I'm sure during WWII there were anti-Nazi Germans who felt the same for example towards IBM, who had lucrative contracts with the system of concentration camps of Third Reich.
Perhaps I’m cynical or pragmatic or simply a realist, but part of me thinks that the US and its businesses by proxy are able and willing to do business with hostile regimes to gain exposure to markets, capital, and personnel for intelligence purposes.
Wartime makes for strange bedfellows, for example, the collaboration between the US government and the Italian mafia during WW2:
> While Kaspersky is a multi-national company, it was founded and headquartered in Russia, a country the United States has heavily sanctioned due to the war in Ukraine. This could severely restrict financial transactions between U.S. companies and those in the region.
> Additionally, per Apple Security Bounty’s terms and conditions, “Apple Security Bounty awards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.”