Ok, let's cut the crap. Is Kaspersky a dirtbag or not? I suspect not, but it is an unfortunate accident he was born in and runs his company from Russia, the government of which is a dirtbag, so, correct me if I am wrong, Kaspersky must be a dirtbag by association, but especially for discovering Stuxnet. Believable, but I think the real reasons Kaspersky is persona non grata is due to having discovered Stuxnet, and Kaspersky Lab suspected of uncovering secret US cyberweapons in the future.
I am a patriot, but even I don't appreciate being lied to by my government. It would be good if the next best cyber security firm and software was half as good as Kaspersky's. But I suspect not.
The problem is: how do you run a business that has offices and physical assets in Russia, without being at least partially beholden to the Russian government? They have demonstrated that they are not shy about using gangster tactics.
One could say that the same is true in the US, but I believe the degree matters. Although the US government and intelligence agencies will and do try to overreach, there is a strong legal and cultural tradition of exposing, resisting, and fighting these overreaches in the US. I don't see that in Russia.
So, I would not be surprised to see the US strong-arming US companies, but they would do this with sham/flimsy legal cover. The result of non-compliance would be at worst asset seizure and/or imprisonment. Both of these can be examined and contested. I imagine that the penalty for non-compliance in the Russian system would max out at having an unfortunate accident. Gangsters all, but the level of gangsterism and possibilities for investigation/redress matter.
All that said, I'm not a US citizen (although in a Five-Eyes country), so I do worry about using US-hosted services.
> One could say that the same is true in the US, but I believe the degree matters. Although the US government and intelligence agencies will and do try to overreach, there is a strong legal and cultural tradition of exposing, resisting, and fighting these overreaches in the US.
That point would be a lot stronger if the US government hadn't demonstrated shocking callousness and disregard for international law in their efforts to catch notorious whistleblowers Snowden and Assange.
I remember when Belarus downed a plane to catch a political dissident and all western countries acted shocked, even though these countries had tried to do the exact same thing to Snowden on the US's behalf, with a presidential plane no less.
International law isn't really a thing if it has no teeth. I would be more worried about the US breaking its own laws. Which they of course do, on occasion. But there is a lot of pushback and not too much fear of reprisal if you call them out and fight them on it. For example, we are in the process of appointing a supreme court justice that, during her career, has fought against US Government overeach and represented alleged terrorists imprisoned (oh sorry, "detained"), in Guantanamo.
My point isn't "the US is bad because it doesn't respect international law".
My point is that the US is willing to go pretty damn far to put some high-profile dissidents in a hole and throw away the key, and there is very little pushback both internally and internationally, which kind of undercuts the whole "the US government would hesitate to do X because whistleblowers would stop them" argument.
Hold up. Downed a plane is different from grounded a plane. I don't know the Belarusian case, but either you misused the word or they are very different.
I live in the USA, therefore I need to consider it as part of my threat model mostly in the blunders / withholding exploits (thanks CIA ~.~) senses. For everything else I try to vote informed and support a combination of the EFF, ACLU, and other organizations that can be better informed experts on the law and it's applications.
> The problem is: how do you run a business that has offices and physical assets in Russia, without being at least partially beholden to the Russian government?
The same could be said for businesses that have offices and physical assets in the US.
The argument is the US system is more accountable, fair, and able to be resisted. Not perfect by any means, but I see a lot of daylight between the two governments.
> The problem is: how do you run a business that has offices and physical assets in <insert power country>, without being at least partially beholden to the <insert powerful country> government?
The problem with this kind of Mad Libs argument is that it falsely implies the substitutions are equivalent when they're not. Also your quote shears away the context of the original statement that made it meaningful.
There definitely seems to be at least a little truth to that argument, though. Over the years Kaspersky has found and documented a whole bunch of seemingly US government linked malware whilst their Western competitors just haven't, and I think there's at least some evidence this is intentional on the part of those other companies.
> There definitely seems to be at least a little truth to that argument, though.
Of course there is, but as this thread is trying to point out, that "little truth" is completely insufficient when assessing risk. The degree to which a particular government can interfere with companies headquartered there matters. The legal culture in those countries matter. The ability to contest and redress this interference matters. An estimate of the worst that can happen to an individual who resists this interference matters.
I'm a US citizen living in the US, so I'm certainly biased, but I do believe my data (and my person, and if I ran a company, my company too) is much safer being in the US than in Russia.
It's certain that all major world powers engage in various forms of cyber warfare. It's completely expected that countries (and companies within them) that are allied will (most of the time) not expose other allies for cyber attacks and malware distribution. It's also completely expected that antagonistic countries (and their companies) will do so.
Back to the point of this article: of course Kaspersky is a US national security threat, precisely because it (as a Russian entity) will try to expose the US government's cyber warfare capabilities. Whether or not Kaspersky is a threat to the cybersecurity of individuals in the West isn't the issue here. (I would expect they probably are, to some extent, though!)
We already do know, however, that the US has no shame "asking" US run companies for their customer's data without due process, and that this has been going on for every large US tech company. So I don't see the logic.
You talk about assessing risk, but we know from the Snowden leaks that the risk in this matter in the US approaches 100% as the size of your company increase. What degree of risk is higher than 100%?
It may be, or his company is really that good above others (I don't think he personally was involved in any of this, but hired good enough people to do so). I tend towards former but have no proof either way.
I still have a serious and (since Russia-started a war in Ukraine) permanent problem with him - as pointed elsewhere [1] he went through KGB school - voluntarily, he was actually active KGB intelligence just like Putin. At those places, your objective morals go down the drain very fast and for good. And obviously both are still very close, he approves overall totalitarian direction of Russia and often spoke against 'too much freedom' in the west and on internet.
Please explain how they are not equivalent. Just because two governments are on good terms or are in some kind of partnership does not guarantee that one or the other will not take actions that benefit only them. What am I missing here?
Press. Political competition. Courts. Broadly, the rule of law.
Nobody is perfect at any of these. But if the FSB wants a code change in Kaspersky, they're getting that code change. There is no independent press to report it. No opposition incentivized to call them out on it. No court in which they could lose.
> Press. Political competition. Courts. Broadly, the rule of law.
Exactly. Mad-libs "arguments" typically boil down to an invitation to ignore salient differences (which the structure cannot call attention to), make a superficial comparison, and finally arrive at a false equivalency.
While the methods may differ, is this not true of any governments intelligence agencies? Whether or not there is press/courts/rule of law. For press to report on an event they have to be aware of it, for courts to intervene they also have to be aware of it, for rule of law to matter then no part of a government can operate outside of it in any manner, so no extrajudicial actions either.
The point of press/courts/rule of law is that at least you have a chance. Without those, no chance. That matters.
The US is not some monolithic entity. It's almost weirdly schizophrenic. Yes, the government will e.g. use some super-shaky legal arguments to justify torture ahem "enhanced interrogation", but on the other hand Freedom of Information Act requests still get processed. Yes, the NSA will spy on US citizens, but even they feel the need to come up with some legalistic / procedural cover.
Even as the US's checks and balances are tested, and structural inequalities are examined, there is a broad and deep tradition of fighting the government and not going to jail like Navalny.
The traditions and norms of a country's populace, and its institutions really really matter, especially when their institutions are being tested.
Corruption is everywhere, but this is too simplistic a pattern-match.
EDIT> Knight-Ridder did some fantastic and courageous investigative journalism debunking the US casus belli in the run-up to the Iraq Invasion. It didn't stop the invasion, but they were recognized later. Can we imagine that happening in Russia?
> Knight-Ridder did some fantastic and courageous investigative journalism debunking the US casus belli in the run-up to the Iraq Invasion. It didn't stop the invasion, but they were recognized later. Can we imagine that happening in Russia?
This type of thing is something I wish people would recognize more. In Russia right now, the simple act of participating in a peaceful protest against the war in Ukraine could easily land you in jail. While the US government has at times had a sketchy anti-protest track record, can we really imagine the US federal government attempting to pass a law today that makes it a jail-able offense to speak out against a US military action? (Hint: the answer is, unequivocally, no.)
> This type of thing is something I wish people would recognize more. In Russia right now, the simple act of participating in a peaceful protest against the war in Ukraine could easily land you in jail.
It's even worse than that: merely calling a war a war can land you in jail:
> Russia insists that it is not at “war” in Ukraine, instead referring to its violent campaign as a “special military operation.” Under a harsh new law, Russians now face up to 15 years in prison if they spread “fake” reports and call the conflict what it is: a “war” and “invasion.”
> The point of press/courts/rule of law is that at least you have a chance. Without those, no chance. That matters.
I agree with you.
> Knight-Ridder did some fantastic and courageous investigative journalism debunking the US casus belli in the run-up to the Iraq Invasion. It didn't stop the invasion, but they were recognized later. Can we imagine that happening in Russia?
Dude it's 98% because the feds only take slam dunk cases to trial, and they're extremely professional. Seriously, read up on bad convictions, it's nearly always state or local judicial systems. Frequently it is federal prosecutors that break open the corruption.
All governments are corrupt, but is it remotely plausible they are equally corrupt? Are they not comparable?
I think it's reasonable to acknowledge that, due to my citizenship and physical residence location, the NSA is probably more of a threat to my personal freedom than the FSB, but also acknowledge that, all things being equal, the FSB is a shadier organization than the NSA, with fewer legal restrictions on its behavior.
There are no relevant legal restrictions on the NSA behaviour. We know that the NSA breaks the law without any consequences. This idea that Western intelligence is any less corrupt and morally bankrupt, and indeed any less willing to interfere with people outside their borders as anyone else is frankly entirely ridiculous.
Who has more practical power to force code into a security product that runs in a privileged context, without anyone finding out? I think it’s not the NSA.
Why do you believe that, the NSA had access to Cisco PIX systems for years and it was only disclosed once those systems started to be replaced with ASA and other newer hardware.
I dont believe the NSA, CIA or even the FBI really have any actual legal limits.
> The Russian government is objectively worse by any honest metric.
Any metric you and I would like to use, yes. The govt of Saudi Arabia, which is an ally of ours, murders journalists with a chainsaw on a foreign soil and smuggles the body out of the host country in suitcases - yet no Saudi company is penalized. Supporting a proxy war in Yemen is not that different from Russian invasion, but somehow it suffers no consequences for doing so.
It's actually easy to justify: for the vast majority of Saudis prince MBS is a good ruler. Who are we to judge how their government works, given completely different cultural backgrounds, religions, and different expectations resulting from that difference? We'd be happier if Saudi Arabia was a democracy with a rule of law instead of chainsaw, but if the majority of Saudis prefer the latter, we shouldn't try to force them to change, even if homosexuals can be legally stoned to death there.
It's an easy argument, but it undermines the "objectively" part of your statement. If we accept MBS, we should accept Putin. If we don't accept the way SA works, as we don't accept Russia's, then we should not trade with the Saudis. We do trade with them, though - we (Poland) even increased (2x or more) the amount of oil imported from them this year, and they continue being our friends and valuable allies in the region.
The situation is frankly schizophrenic. Either there are objective metrics, in which case they should be applied everywhere equally, or we allow Saudis do what they want, but then we have no grounds on which to condemn Putin.
If we want to still stay close to Saudi Arabia and condemn Putin, we have to agree that we condemn Putin based on something else than objective standards of governing.
I'd really like for our foreign policies to stay true to the ideals we hold dear, but that just doesn't seem to be the case. Putin is an actual, real threat, so we don't accept him and his buddies, while MBS only dismembers his own citizens (and he even allowed women to drive!), so we accept him. That's also a kind of "objective metric", but it's far from what you meant, and it makes me deeply uncomfortable TBH.
In fairness, when you say "no Saudi company"...there ARE no companies in Saudi Arabia which we could sanction. Not really. There's the oil business, which basically is the same thing as the regime itself. Saudi Arabia doesn't do anything else. Doesn't produce anything else.
> One could say that the same is true in the US, but I believe the degree matters. Although the US government and intelligence agencies will and do try to overreach, there is a strong legal and cultural tradition of exposing, resisting, and fighting these overreaches in the US. I don't see that in Russia.
> So, I would not be surprised to see the US strong-arming US companies, but they would do this with sham/flimsy legal cover. The result of non-compliance would be at worst asset seizure and/or imprisonment. Both of these can be examined and contested. I imagine that the penalty for non-compliance in the Russian system would max out at having an unfortunate accident. Gangsters all, but the level of gangsterism and possibilities for investigation/redress matter.
I'm honestly trying to figure out here if you are trolling, or if you genuinely believe that.
If you do genuinely believe that the US government is worse (or at least just as bad) as the Russian government when it comes to citizens' personal liberties, I'd be very curious to understand why you believe that to be the case.
Certainly I (as a US citizen living in the US) am biased, but I do believe I have a healthy level of criticism and skepticism of my own government, and yet I cannot see how we even come close to how bad the Russian government is.
I, as non-US citizen, thus having sub-human rights in eyes of every US 3-letter agency, still prefer very much US approach to, well, practically any matter compared to Russian one.
For Russians, they really don't like anybody else. All that slavic closeness is crap as we can see in Ukraine and elsewhere. Heck, they don't care about other Russians neither, just a cannon fodder and poor fuckers to exploit and then throw away like garbage. They may very well like to see the entire world burn in nuclear hell if they don't get what they want, that's why current situation is really one of those moments in history when future is decided.
It would sure as hell help US image in entire world to actually backtrack a bit all those spying initiatives towards friendly, democratic and in all-important-US-aligned countries. Showing some respect with deeds and not just empty words and so on. I don't know how much that was/is visible from inside, but Trump made huge amount of damage to that, although to be fair he was just a continuation of overall trend.
It would help US to condemn Colin Powell for brandishing supposed proof of WMD at the UN Counsel in 2003, which they never found after invasion.
It would help for the US to stop Predator attacks. Most of the world is convinced that they are illegal and illegitimate.
And as a French person, I preferred Trump, because he didn’t trigger any new war and he calmed down Little Rocket Man. He even shook his hand! And donated 100% of his salary to charities! Biden is back and the war is back: Bad negociation tactics, Hunter Biden shenanigans with billions transferred as a chairman of an oil company in Ukraine, female ministers of defense in all of Europe, focus on having transgender soldiers, so Putin believed we were weak and the field was open. The result is a war.
We could have avoided this war.
PS: I’m not saying female ministers of war are incompetent, I’m saying they make no-one afraid. It was way more frightening when Krouchtchev’s general responsible for the nuclear button was a crazy alcoholic: When you’re faced with an madlad, you take him seriously.
That's... a strange opinion from French person (although looking at current French government's actual involvement in Ukraine it kind of corresponds).
Why - Trump was extremely close to removing US from Nato in 2018, a moment Putin waited for decade and a half (how he knew about this is another story, let's say my opinion is really not favorable for Trump and tend to lean on US secret services conclusions on their cooperation). Only conservative hawks in his own government managed to steer him away from this tragic moment.
For any European not in bed with russian spying conglomerate that's an existential threat. We can see it now. Ukraine wouldn't have any significant arms deliveries and would be left to die and be enslaved again by Russia, with Trump cheering this as brilliant move (what he still actually did).
Russians would take over Baltic states, Poland, Slovakia, Hungary (although there is already pro-kremel person installed so not much work needed), possibly also Romania, Moldova, Czech Republic. Also that pesky Georgia, who do they think they are having their own state and democracy. Simply good old pre-1989 setup with good old soviet terror. That's maybe why you guys don't care so much about Ukraine, it seems too far and not your fight, car manufacturing in Russia seems more important. Considering what Putin actually says about whole Europe, you may be wrong this time.
Trump didn't "trigger any new war"? You might want to review who got impeached (and was guilty) for intentionally weakening Ukraine and propping up Russian interests.
Regarding freedom of speech, _relative_ freedom of association and the ability to do business and to criticize governments, the US is miles ahead of Russia.
That's funny as the thread is about contrasting Russia with US, but I don't seen to recall US invading any neighboring countries under the false pretense of defending some minorities.
But, seriously, if you remove "neighboring" from your statement (which seems to be not particularly relevant to a discussion of morality and respecting the sovereignty of other nations), I'm sure we can find plenty of bad examples perpetrated by the US, many of them much more recent than the Mexican-American War.
I remember a woman testifying that they were killing babies in Kuwait, and she was later discovered as being the daughter of an ambassador. Source: https://en.wikipedia.org/wiki/Nayirah_testimony
I remember the late Colin Powell brandishing proof of WMD in Iraq at the UN Counsel. He will never land in the TPI, neither will the UN Counsel for basing a judgment upon unverified allegation causing dozens of thousands of illegal killings by the US army.
> One could say that the same is true in the US, but I believe the degree matters.
I think the key misconception behind this argument is the idea that harmful governments is a binary flag, such that if you're subjected to one adding more makes no difference. In fact, different governments have different concerns. This means if you're subject to the US and Russia you're significantly more constrained than if you were just subject to one. As such, it makes sense to reduce exposure even if you obviously can't eliminate it.
(I also believe the US govt is much better than Russian, but I'm leaving that out because I my argument doesn't need it and I'm uninterested in that argument)
> The problem is: how do you run a business that has offices and physical assets > in Russia, without being at least partially beholden to the Russian government? > They have demonstrated that they are not shy about using gangster tactics.
To be fair, the US government has used gangster tactics to get US companies to install backdoors and allow encryption breakers.
It doesn't matter. The fact is Kaspersky (the company) can be coerced by the Russian government to exploit their highly privileged systems access to millions of computers around the globe.
I don't expect Kaspersky (the person) to play hero under these circumstances.
So can microsoft, adobe, google, etc. Even without them, NSA can intercept the hardware and put their software on those boxes... wikileaks showed a bunch of stuff NSA did.
If you're a valuable target, it's basically choosing if you want to be spied on by the russians or the americans. (or installing linux, and hoping for the best).
> So can microsoft, adobe, google, etc. Even without them, NSA can intercept the hardware and put their software on those boxes...
Those companies often actually have people scan the hardware they receive to check for alterations. There was a whole thing about this a decade ago where a reporter (wrongly, IIRC) accused Facebook and Google of having compromised motherboards, and people from those companies were commenting here about how they are actually very careful with their supply lines and have people vet what they receive with scanning electron microscopes in some instances. (I'll try to find some of the submissions here and edit them as links on the bottom shortly).
I also have it on good authority (a good friend that worked at Google at the time) that Google found out that someone (the NSA) was tapping their inter-datacenter links and that's one of the reasons they made sure all data between datacenters was encrypted, and that was prior to the Snowden leaks.
So yes, agencies are constantly attempting to infiltrate large tech companies for their own purposes. That doesn't mean they always succeed, or that those companies just give up and accept that it happens. They all fight it quite actively.
I was talking about google/apple being able to inject arbitrary code into (almost) any phone via (eg.) google play service update or whatever apple has. Also microsoft with windows update, and many other companies too.
I was really referring to the part of your comment about the NSA's ability to intercept the hardware.
It's true that any any software that allows auto-updating can be used to load arbitrary code onto a system, limited only by whatever additional safeguards are in place. In the case of the OS vendor, that can't really be guarded against, but it exists farther up the stack as well. Chrome and Firefox can just as easily load nefarious code onto your computer, limited only by what the OS prevents (which is generally more on a mobile platform, thankfully) and what their own reputation can sustain if they were found doing so.
Do you have evidence that this happens due to outside or government interference in the company's release process? If not, this is just a conspiracy theory.
This is true, tho installing linux is probably not going to make a difference if you are a target. But the USA can issue national security letters through the FISA court with gag orders that keep the NSL secret. Not only that, but the major US companies have lucrative government contracts such that it can be in their interest to provide the US government with certain kinds of access without being compelled through national security letters.
> Even without them, NSA can intercept the hardware and put their software on those boxes.
Its interesting to note that not many people remember (maybe a generational thing?) Kevin Poulsen found multiple government listening devices installed on Pac Bell networks that were listening to foreign embassy phone traffic which was highly illegal at the time.
It doesn't surprise me the extent the NSA and other three letter agencies have gone to get at information they deem valuable or important.
They don't need to nationalize anything, they can just threaten his family with imminent and painful retribution and he'll open it up to anything they want. Period.
All these people whining about "they're both the same", they are not. "Bay of Pigs" argument does not apply, last time I checked Cuba was still standing where on the other hand Ukraine is burning and getting demolished.
It seems that those complaining really really do not understand the horror of living under an "official" or "unofficial" (i.e. government sanctioned vs. government tolerated) mafia rule: either you do what they tell you, or you cease to be, along with your spouse, children, parents, siblings, etc. There is absolutely no negotiation.
Shouldnt i have the same concerns with software from the US? You dont really have to nationalize to force devs to push malicious code (looking at you Australia)
> Shouldnt i have the same concerns with software from the US? You dont really have to nationalize to force devs to push malicious code (looking at you Australia)
You should have the same concerns about software from anywhere, including the US. I believe it's a couple orders of magnitude more likely I'd be harmed by Russian government malicious code than any other nation.
Russia is in crisis, striking indiscriminately, and has no reputation left to lose. So that's where my concern lies.
I've worked in multiple European environments (gov & private sector) that mandated usage of European anti-virus & firewalls.
In finance I had a client that didn't trust any vendor and asked me to reverse engineer VPN appliances (they negotiate a special clause with the vendor), which makes more sense then trusting based on country of origin.
But we're talking about a government that just stole hundreds of millions of dollars in foreign planes (and other equipment) and took down satellite radio networks with cyberattacks (causing a lot of collateral damage), recently backdoor'd thousands of companies via Solarwinds, and looked the other way w/r/t ransomware groups until one of them caused a major international incident (Colonial pipeline). The threat from other nations is a lot more theoretical than it is for Russia.
Russia can do it without any backlash from their citizens. U.S. can't do it to their own citizens without backlash. Differences in representation of population means different incentives.
Backlash after the wikileaks? What backlash? FISA courts? Gag orders?
Just call the "other guys" terrorists, nazis, whatever, and americans can occupy and bomb whatever country they want (and they did that to many countries) withot any backlash. Gone are the days of the hippies and anti-war-anything... sadly.
I was kinda hoping for a "revolution" in one of the european countries (eg france) during covid, where people would "remove" the current government, and make the other governments atleast worry a bit when their people get mad... but sadly, not even that.
This kind of comment isn't my favorite, but I do understand where you're coming from. I personally think that it's better the devil you know than the devil you don't.
I'm American. My country is the US. Yes, they're spying on me. Yes, they do naughty things. But I assume that at the end of the day, the US has my interests at heart more than China does. Or the UK, or Russia, or Turkey, or anyone else. I happen to live on the land that they'll protect even while filling their pockets.
My feedback to you would be to do the same. You don't have to trust your own government but assume your government will keep you around longer than any other government will.
The us government has been known to want to keep people alive for the purposes of chattel slavery.
I'd much prefer misdeeds that don't affect me from a government that doesn't care about me, than those of a local government who wants to keep me alive for the purposes of doing more bad things to me in the future
The FTC isn't telling non-Americans what to do, only Americans. Russian software, outside the jurisdiction of the American legal system and under the control of Putin, is a threat to American infrastructure. American software is not.
You should absolutely have concerns with proprietary software from the US but unless you are in a country that is currently in a cold-war relationship with the US the concern is likely VERY different.
Snowden's leaks showed that the NSA was simply ignoring the 4th Amendment, and that the secret FISA court was letting the NSA do so.
Theoretically, the Constitution protects you. In reality, the intelligence community acts largely in secret, and there's very little preventing them from violating the Bill of Rights. Citizens don't even know what rights they've given up until someone like Snowden spills the beans.
Putting a numeric value on this is silly. The fact is that the United States government can compel companies to aid in its surveillance (just recall when they forced Snowden's email provider to install a backdoor).
Even if a company does not want to participate or is not compelled to do so, the US government has very significant capacity to break into and co-opt systems (all the way from targeted surveillance of individuals by intercepting and bugging hardware to tapping undersea cables to indiscriminately hoover up communications).
So when people say that Kaspersky might be forced to go along with Russian intelligence, the same goes for American tech companies and US intelligence. There is indeed a 4th Amendment that is supposed to protect Americans, but the last two decades have shown that the government is perfectly willing to ignore that legal restriction.
The US has the most extensive global surveillance system in the world. US intelligence services receive about as much funding as the entire Russian military. I have no doubt that Russia tries very hard to engage in extensive foreign surveillance, but its not in the same league as the US.
Yeah, I remember when the US government took Apple to court to get them to allow FBI to have a backdoor through the encryption and Apple did not capitulate, though the cases were eventually dropped. While US agencies certainly do crooked things, they do not have the capacity to force companies to do stuff under threat of violence and otherwise that Russia does with Kaspersky.
* The NSA secretly obtained access to every Verizon customer's entire call log. This was blatantly illegal (the 4th Amendment forbids general warrants), and it only came to light because of Snowden's leaks.[0]
* Snowden's email provider, Lavabit, was compelled to install a backdoor that allowed the US government to read the emails of all of the provider's users. The process was supposed to be secret: the company was under a gag order. The public only found out because the founder spoke out.[1]
There are many examples like this from the US (just look up "National Security Letter," or take a look at Snowden's leaks). You're citing one example in which a company successfully refused a request, but we also know from Snowden that there was mass collection on most Americans that went on for years in secret, despite the fact that it was blatantly illegal.
The scale of surveillance conducted globally by US intelligence agencies is unparalleled. I'm sure Russia wishes it could collect information on the same scale, but it simply does not have the ability to do so.
Isn't the difference that the government cannot permanently keep such compromises secret? They have to have a warrant for a limited period of time and limited scope?
Illegal NSA dragnets and perjury in front of Congress notwithstanding.
In the US the press can be openly antagonistic toward the government without reprisal beyond maybe having a WH press-core pass tossed. This provides a path for whistleblowers.
Could the Russian press behave toward Putin as the US press toward Trump? If so, then you can have your 10s.
Snowden and assange have been used as example. Although, there are probably more people shut by the Russian government than by the us, by far. The thing is, the US secret services are secretive enough that non one can complain about, independently of the ability of the people to complain.
No, Snowden's leaks show DoD lawyers working hard to justify programs under the 4th Amendment. In the fallout of the leaks, all but phone metadata collection passed muster.
The dragnet surveillance programs that Snowden revealed are obviously outlawed by the 4th Amendment.
Of course lawyers working for these agencies will try to justify them. That's what they're paid to do. During the Bush Jr. years, lawyers for the administration also argued that torture was legal, despite the fact that it's blatantly illegal.
Nevertheless, these programs are incredibly difficult to challenge in court, because the secrecy surrounding them makes even proving standing nearly impossible.
There was only one extant US dragnet surveillance program in Snowden's leaks, which was the phone metadata collection, so I don't know why you have the plural. Snowden's leaks showed the lawyers' justification for that program (https://www.aclu.org/files/natsec/nsa/20130816/2009%20OIG%20...) which said that the data does not fall under Fourth Amendment protection by Supreme Court precedent, and it was never ruled unconstitutional, only exceeding the law that the government claimed had authorized it.
Snowden's leaks revealed several mass surveillance, including PRISM, XKeyscore and Tempora.
As for the (un)constitutionality of mass collection of Americans' call records, here's what Reuters[0] says:
> In a ruling handed down on Wednesday, the U.S. Court of Appeals for the Ninth Circuit said the warrantless telephone dragnet that secretly collected millions of Americans' telephone records violated the Foreign Intelligence Surveillance Act and may well have been unconstitutional.
The court did not make any ruling on the Constitutionality of the NSA's mass surveillance program, but they wrote in their decision that it very likely was Unconstitutional.[1]
Historically speaking, this NSA program is exactly the type of search that the 4th Amendment was intended to prevent. Americans were upset about "writs of assistance" that gave colonial officials wide powers to conduct searches against classes of people. That's why the 4th Amendment requires warrants to be specific and limited in scope. Handing out warrants that allow authorities to collect call logs of millions of Americans is blatantly Unconstitutional, and is exactly the sort of thing the 4th Amendment was intended to put a stop to.
PRISM isn't mass surveillance. Snowden's slides clearly show it is a way for the NSA to ingest data from FBI wiretaps [1], which are targeted, which is why the only lawsuit brought against it was dropped. High school dropout Snowden and useful idiot Greenwald were too stupid to understand the slides they released and were called out about it immediately on Twitter. The New York Times [2][3] and CNET [4] subsequently correctly described the program, and WaPo retracted its original description. Now, Snowden never talks about PRISM out of embarrassment, only the phone metadata program.
XKeystore is simply the database that stores data collected outside the US, and Tempora is not even a US program, so clearly neither can violate the 4th Amendment, which is why no lawsuits were brought against either program.
> Handing out warrants that allow authorities to collect call logs of millions of Americans is blatantly Unconstitutional.
Obviously not. The program was limited to collecting millions of call logs instead of all call logs after the leaks, and that was considered so obviously constitutional that nobody sued. [5]
There are many obvious errors in your claims, such as this:
> Tempora is not even a US program, so clearly neither can violate the 4th Amendment
The NSA is a partner in the program (led by the British, with whom the US has a very close intelligence partnership). The program does bulk collection on undersea cables which do carry Americans' data. This is prima facie a violation of the 4th Amendment.
> which is why no lawsuits were brought against either program
The reason why lawsuits so rarely get anywhere against any of these mass surveillance programs is that in the US legal system, you have to be able to prove standing in order to challenge them. The US isn't like other systems with dedicated constitutional courts that can review laws on their own initiative. Someone has to be able to show that they themselves have been specifically harmed. Unless you can prove that the NSA specifically looked at your data and used it against you in some way, you can't challenge the NSA's surveillance. By the very nature of these programs, it's nearly impossible for anyone to prove that.
> The New York Times [2][3] and CNET [4] subsequently correctly described the program
The NY Times article you cite describes it as a program that collects information from the largest US tech companies on the basis of FISA requests. Just so you recall, FISA is a court that operates in secret, that grants virtually all requests, and that has demonstrably signed off on Unconstitutional bulk surveillance (e.g., mass collection of call logs).
And by the way, the type of behavior we're discussing here, which we know for a fact the US government has engaged in, is exactly what people in this thread are alleging the Russian government might theoretically do to Kaspersky.
> High school dropout Snowden
Yes, a "high school dropout" who was paid 200 grand a year and given access to the NSA's classified networks. What a dummy!
> The program was limited to collecting millions of call logs instead of all call logs after the leaks, and that was considered so obviously constitutional that nobody sued.
This is not how the process of challenging an Unconstitutional law works. You can't just say, "That's Unconstitutional" and then sue. You have to show that you have personally been targeted. That's why Rosa Parks had to physically sit down on the bus and wait to get thrown off. That's what gave her standing to challenge Montgomery's segregated bus system. Just knowing that a surveillance program exists and has probably illegally collected your information does not automatically give you the ability to challenge said program in court.
Bulk collection of records of millions of Americans (this is just the warrant that we know of, and there were almost certainly similar warrants covering most Americans, because by design, the program was meant to do bulk analysis of all call records) is obviously unconstitutional, but also very difficult to legally challenge.
The NSA is aware of the program but has no say in implementing it and doesn't have access to its data. Only the UK has the data and gets to choose who to share what they've learned from it to. This is clearly not a violation of the 4th Amendment, which is why nobody has sued the US government for it. If you believe it is a violation, go ahead and try to find a lawyer to take your case.
> The reason why lawsuits so rarely get anywhere...
No lawsuit was brought at all against XKeyscore or Tempora. That is the reason they didn't get anywhere. Lawsuits were brought against the phone metadata program, which succeeded, and against PRISM, which was thrown out because it didn't collect the data of the person who brought the lawsuit, unlike what Snowden and Greenwald erroneously claimed.
> Just so you recall, FISA is a court that operates in secret, that grants virtually all requests, and that has demonstrably signed off on Unconstitutional bulk surveillance
Once again, no program the court has signed off on has been ruled unconstitutional. Just so you recall, FISA is not a court but a law. FISC is the court that rules on FISA requests.
> And by the way, the type of behavior we're discussing here, which we know for a fact the US government has engaged in, is exactly what people in this thread are alleging the Russian government might theoretically do to Kaspersky.
The behavior we're alleging the Russian government could do with Kaspersky is putting malware in its software. We know the US government has done this for hardware exported overseas, which is why we are right to expect Russia to do this. We also know that Russia engages in dragnet domestic surveillance, which is something you're alleging that the US does, but there is no evidence of.
> Yes, a "high school dropout" who was paid 200 grand a year and given access to the NSA's classified networks. What a dummy!
He was a Sharepoint admin earning $122k. https://www.washingtonpost.com/blogs/erik-wemple/wp/2013/06/.... His hilarious misinterpretation of PRISM and other programs proves what a dummy he is. The fact that he dropped out of high school just explains how he came to be so stupid, and it should have been a signal for you to read the documents he leaked instead of expecting him to interpret them correctly for you.
> Bulk collection of records of millions of Americans (this is just the warrant that we know of, and there were almost certainly similar warrants covering most Americans, because by design, the program was meant to do bulk analysis of all call records) is obviously unconstitutional, but also very difficult to legally challenge.
They just have to have reason to believe their data is being collected to challenge it, as they did in Klayman v. Obama I. The conclusion was that the bulk collection of everybody's call records wasn't justified by the law, with no ruling on the constitutionality, possibly because there was precedent in Smith v. Maryland that it is constitutional (the very opposite of "obviously unconstitutional"). After that, Congress passed a law that allowed collection of millions of call records, and that was not even challenged.
This is from the first article I came across on the RT front page right now:
>Moscow attacked neighboring Ukraine last month, following a seven-year standoff over Kiev’s failure to implement the terms of the Minsk agreements, and Russia’s eventual recognition of the Donbass republics of Donetsk and Lugansk. The German- and French-brokered protocols had been designed to regularize the status of those regions within the Ukrainian state.
>Russia has now demanded that Ukraine officially declare itself a neutral country that will never join the US-led NATO military alliance. Kiev insists the Russian offensive was completely unprovoked and has denied claims it was planning to retake the two republics by force.
It doesn't seem like they are afraid of getting disappeared for saying russia attacked ukraine.
RT is the propaganda arm of the Russian government operating in other countries.
Internal newspapers, such as Novaya Gazeta, have been shut down for saying "war" in print. Just the latest in many papers, radio channels and more that have been silenced in Russia.
> It doesn't seem like they are afraid of getting disappeared for saying russia attacked ukraine.
Most of the world consideres americans the "bad guys", and a lot worse than the russians. You can start with southern america and middle east. Then the balkans (where putin is doing the same as you guys did with kosovo). Even parts of africa would have a say.
Here in the balkans, people were actively rooting for trump in the last two elections, because they were afraid Hillary would start a new war here...
You are way off base. First, I am not American and well aware of the imperialist and oppressive aspects. I would be quite happy to see the American hegemony disappear, but not for it to be replaced by Russian aggression or Chinese imperialism.
> Most of the world consideres americans the "bad guys", and a lot worse than the russians. You can start with southern america and middle east.
Their absurd support for tin pot dictators in South America was and is reprehensible, and the whole Iraq war was morally bankrupt and threw fuel on a fire that we’ll be trying to put out for decades. And yet, nothing the American did in the Middle East came anywhere near Aleppo or Mariupol. Or the Holodomor. Or the Prague spring.
> Then the balkans (where putin is doing the same as you guys did with kosovo).
Come on, now. You cannot possibly compare Sarajevo (with an actual genocide being carried out, surprisingly, by the side with Russian support) with the charade Putin used as a fig leaf to invade Ukraine. This is pure propaganda. The region would not be any better today had the ethnically cleansing gone all the way to the end, quite the contrary. Europe should have had grown a spine and actually done something.
> Here in the balkans, people were actively rooting for trump in the last two elections, because they were afraid Hillary would start a new war here...
Well, maybe you did, but that’s not what I heard from my greek friends. The Americans are not complicated to understand, they are going where their interests are. What the hell would they do in the Balkans? That is just stupid.
> Their absurd support for tin pot dictators in South America was and is reprehensible, and the whole Iraq war was morally bankrupt and threw fuel on a fire that we’ll be trying to put out for decades. And yet, nothing the American did in the Middle East came anywhere near Aleppo or Mariupol. Or the Holodomor. Or the Prague spring.
Yeah sure... and iraq had weapons of mass destruction, and iraqi soldiers killed babies, and afghanistan had to be occupied for 20 years, because a few saudis flew a few planes into a few buildings. Plus syria, libya, lebanon etc... and considering how far back you go in history, there's also blood from vietnam on americans hand. And it's funny how it's a "beloved ruler" when it's a friend of america and "nasty dictator" when it's not... so america has to replace the ones they don't like (eg iran.)
Sarajevo is not in kosovo, quite a few years were between sarajevo and the bombing of yugoslavia/serbia. Kosovo albanians wanted to separate from the main country, and the main country (yugoslavia then) wouldn't let them... then they formed armed groups that attacked the serbs, and serbs attacked the albanians... basically the same thing that was happening with the russian minority in eg. donbas and lugansk in ukraine. Then someone (USA) had some geopolicital interests in the balkans, bombed the country for 78 days, bombed hospitals, passenger trains, busses, schools, tv stations, cluster bombed a few cities, bridges, roads, highways etc, and built a nato base in kosovo.
So, why have a base in the balkans, if they don't need it?
The sanctions in question are against Kaspersky Labs the company, not Eugene Kaspersky the man. Frankly none of the analysis involves a decision as to whether he is a "dirtbag", by association or not. It's just that there's no way anyone can reasonably trust "security" software produced by entities in a totalitarian state, especially so when it's at war.
So it is not a situation were we have actual evidence of dirtbaggery against the company, but that we are rationally paranoid that Kaspersky Lab could somehow steal our Pokemons.
After I read that profile I decided I'd never use the software. I remember before news spread of the Russian troll farms being real, people talked about it like "who would do that?" Russia would.
I don't think it's their quote - but I remember Penn of Penn & Teller saying about magic something to the effect that the magician does the things that people think "It could be... but who would do all of that work?" This is how I feel about Russia. They will or already are doing the things you think they won't and nothing is beyond being a tool for the state.
I don't really like feeding the image of the Russian super villain, but I don't consider it overly paranoid to avoid installing software from hostile nations. Yes I used this same logic to convince my wife to uninstall tiktok.
Comparison notwithstanding, that's what I felt when I first heard about PRISM. Holy shit, I knew this was all possible, but I hadn't believed that someone actually went through all the effort of doing it.
I think they used underscores in their links originally and then changed them to dashes at some later date but broke things. (You can see this in the second article which links to the first using an underscore, but the redirects they've put in place are broken.)
Was every 17 years old who attended anything with KGB written on it, really dubbed a dirtbag in the 70-80s? Even knowing there were 100 years of Red Scare this sounds a lot like like a neurotic leap conclusion, I can't imagine KGB's cryptography school teaching teenagers torture skills or something like that.
You really think the choice was to go to KGB school or remain illiterate?
There were a lot of other options to study. Much better options if your want to do science. For one thing, education in Soviet Union was decent and free for everyone.
Going to KGB school was a choice, very specific one.
I know brilliant people from the GDR who studied at Moscow Polytechnic University, they weren't in the KGB or Stasi. You had to be system-conform to study anything, that much is true, but that's still far away from joining the KGB.
Even american security companies have ties to the intelligence community. Kaspersky is no different. In most countries private sector pays more so state hackers work at places like Crowdstrike or Kaspersky after some time. Their relationship with the IC helps develop and share intelligence both ways.
There's an important difference: American security companies have ties to American intelligence. The concern here is Kaspersky has ties to Russian intelligence. If you're an American company or government agency and have to choose between the two the choice is pretty clear.
I have a lot of respect for Kaspersky and hope they are still independent. But "ties to intelligence" can come in many forms: deliberate, coerced, or via infiltration. We've seen similar issues here in the US. Sometimes companies work voluntarily with the FBI and NSA, sometimes they are infiltrated or tricked by them.
> If you're an American company or government agency and have to choose between the two the choice is pretty clear.
I suppose that entirely depends on one's threat-model. As an American, I have greater concerns of USG oppression than I do Russian. As the Russians have their ham-fisted means of exterting influence on a company, the US has their very own nasty ways of infiltration.
If you're interested in personal freedoms free of malicious government intrusion, they both suck.
You can't be more wrong when you say "just like Russia". It is not even close. The killings of journalists, repressions... The last independent newspaper has to close its activity because it is not possible anymore to report truth while complying to the Russian laws: https://www.aljazeera.com/news/2022/3/28/russias-novaya-gaze...
All this with Russian government/president approval rating of 70%.
Levada-Center is the best bet we have: https://www.levada.ru/en/ratings/
But when even Russians who live in Germany are rallying in support of the Russia's war it is reasonable to assume that those ratings are accurate.
No, it really doesn't follow. The subset of russians living in germany who approve of the war has no bearing or relationship to all russians.
The "living in germany" part doesn't contradict the same concerns that those living in russia have, as like those living in russia, the emigrated russians likely have:
- family still in russia
- ties to russia (financial, business, family, etc)
- desire to visit russia without having to deal with legal harassment for actions done abroad
- desire to be able to assist people (family/friends) living in russia without compromising them
This does not mean that they are for or against a current government, but rather, that the proposed logic is specious as it tries to create a separation where it is not probable there is one while simultaneously extrapolating the results of a small sample size across a population that supposedly is without the influence of Russia.
Well, maybe you're right but I'm not so sure. After watching recent interviews with random people on the streets of Russian cities. Here's interesting thread on twitter by someone sharing his experience calling random Russians and trying to talk: https://twitter.com/GentileOslo/status/1506663082634145797
You can never get a completely accurate approval ratings. However there is enough evidence that a nontrivial percentage of russians does not disprove of the war. Besides the ones already mentioned in this thread, don't forget that it is not Putin personally fighting in Ukraine or arresting protesters or posting propaganda. Does it matter if it is 70% or 40% when it is obviously enough for the state to continue its control over the populace and thus could also compel their IT companies to work for Kremlin needs and against their users.
When was Kasepersky ever considered a dirtbag? That company has written a lot of technically in-depth security reports over various threats for a long time.
AFAIK it's a (relatively) honest business, though sadly the target of American russophobia
When you are entering a cold war with Russia, it's not Russophobia, it's common sense to not allow a potential state actor to have root access to millions of devices in your country.
Also, Kaspersky was literally a former KGB
> At the age of 16, Kaspersky entered a five-year program with The Technical Faculty of the KGB Higher School,[15] which prepared intelligence officers for the Russian military and KGB.[7][8] He graduated in 1987[15] with a degree in mathematical engineering and computer technology.[4][8] After graduating college, Kaspersky served the Soviet military intelligence service [6] as a software engineer.[2][10] He met his first wife Natalya Kaspersky at Severskoye, a KGB vacation resort, in 1987.[2]
Sure, but the allegation was that soon after Kasperky detected the NSA tools on his system he was hit with a very targeted cyberattack. IIRC that's where the allegations of Kasperky's involvement with the Russian government came in.
And anecdotally there were a lot of MSPs in /r/sysadmin claiming that every single one of their Kasperky customers would be hit by ransomware while few if any of their other customers were.
> They did the right thing - finding suspiciously malicious code is their job. Not their fault the user was an idiot, spooks PEBKAC is still PEBKAC.
Except for this part, which leaves a huge question of "do they share knowledge with the russian govt."
> But the bigger unknown is whether and how Kaspersky’s acknowledged discovery and acquisition of NSA hacking tools resulted in Russian intelligence agencies discovering the NSA contractor, and targeting him for further, apparently successful, attacks.
The concern isn't Kaspersky being a dirtbag, it's Putin legally mandating they become a dirtbag. That's how nation states and wars work.
In fact, there's a similar concern that the EU has with the US. The US's CLOUD Act forces American tech companies to comply with US legal subpoenas in foreign jurisdictions, which means that said tech companies cannot also comply with GDPR data export rules. Hence, it's illegal to include US services on EU websites[0] until and unless the US either agrees to pass GDPR into US law (so that exported EU data is still protected) or repeals the CLOUD Act (so that localized EU data is legally untouchable by the FBI or CIA).
The idea that we can treat a company as wholly separate from it's host nation is more of a legal fiction than anything else. It's not, in and of itself, russophobia. If the person running Kaspersky was trying to, say, flee Russia; and people said he couldnt't be trusted, then that would be russophobia.
[0] Note: It is still legal for EU citizens to use those US services directly. This only covers data export by EU companies to third-parties.
Sorry, my reference to Russophobia was more at past light that has been shown on Kaspersky, before this year's invasion of Ukraine. I agree that it is entirely possible that Kaspersky could be weaponized now
Unsure of reason for downvotes, but this was my observation as well, and my experience is that Kaspersky Labs scanning software successfully sanitizes its targets and does so without giving the uncanny feeling of wasting one's time.
Putin and friends are moronic for bullying and harassing and mugging Ukraine. But if I were him, I would definitely declare apple pie a security threat in response.
The Stuxnet association seems completely basis, and you do not provide any evidence for the assertion. There were multiple firms and individuals responsible for the discovery, reverse engineering, and attribution of Stuxnet, so you are overplaying their involvement.
This decision was certainly made by a bureaucrat who may not even know about Stuxnet. It’s simple risk mitigation. Why even take the chance Kaspersky is a malicious entity? It’s not important software.
Some of the conspiracy theories people throw out around here…
His only statement so far on the far (keeping in mind this is rather than saying nothing) called it a "situation" in Ukraine. That's not much to read into, but he also could have chosen to say absolutely nothing.
"We welcome the start of negotiations to resolve the current situation in Ukraine and hope that they will lead to a cessation of hostilities and a compromise. We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone."
I don't think there is a conspiracy here about tit-for-tat stuxnet or even if he is a "dirtbag". All AV shift trust from the system to the AV. That is the root of the issue and it is an unsolved problem no matter where you try to secure something in the end there is always a compromise somewhere that boils down to "but eventually you need to trust something".
If that something is owned by your enemy in a hot war it's game over.
The minute a vendor can be leaned on by a hostile government (even they are not in the country like the founder of Telegram) and the interest is strong enough to lean on them (hot war) the trust assumption becomes problematic. How problematic? I think it doesn't get more urgent then in a hot war.
Kaspersky needs to pack up in all NATO countries. Not just because they pay taxes in RU (also this is a good enough reason for me). But also because if you share data with a non-NATO country it immediately becomes problematic too if your business partner is using their products.
The options under which they should be allowed to continue to operate is purely academic because it involves not only shifting all operations out of RU but also getting rid of any executive who moves to the new location that can be leaned on back home (e.g. family and friends etc).
There is no middle ground because the minute these steps are initiated Kaspersky has good reason to feel mistreated by the West. So even they kept their hands clean until now they might start doing what they've been accused of anyway.
Also if Positive Tech and others have been sanctions already some months ago there is no reason to give this much bigger potential threat a pass.
Kaspersky consciously, under no pressure chose to be chekist. That is absolutely all You need to know about this person and his deeds, consequentially. The numerous ruminations on "coercion" are just deeply naive. He is a member of kremlin gang. Anything else falls into bottomless category of whitewashing.
Kaspersky is by definition a Russian company that provides antivirus software to many influential western companies and institutions.
The risk of Kaspersky bowing to the pressure from Putin is just too great to ignore. For Kaspersky this can seem unfair, but that is one of the many consequences of Putins actions.
Don't forget who started the invasion and who is still hurting innocent Ukrainians.
> Is Kaspersky a dirtbag or not? I suspect not, but it is an unfortunate accident he was born in and runs his company from Russia, the government of which is a dirtbag, so, correct me if I am wrong, Kaspersky must be a dirtbag by association [...].
Even if he is not a dirtbag, being in Russia means Putin has power to use Kaspersky technology in war.
Is there any point in using antivirus these days anyway? I'm open to being wrong here, but I'm under the impression that antivirus exists only to tick boxes in outdated security compliance checklists. How big of a threat are viruses compared to, say, rogue antivirus products themselves?
Current AV software bloatware is a scourge on the world.
I spent about 30 minutes this weekend helping my sister-in-law debug a slow internet. My observations were that attempting to do anything resulted in about a 5-10 second pause, and general sluggish response when trying to anything online. I disabled anti-virus, etc. and it was still slow. I tried Edge and everything was super-fast.
Digging further, the issue was McAfee Safe Search (powered by Yahoo). It was singlehandedly adding 5-10 second lag on every mouse click and character typed in the browser. Disabling and blocking that resolved everything.
The developers probably test it using beefy machines and very small latency to their dedicated test servers in the same building. On the other hand, their users probably use old or slow machines connected to busy oversubscribed servers halfway across the world causing significant latency.
It was brutal. I first suspected terrible Wi-Fi, or underpowered computer, but everything worked great in Edge and the computer is a 3.2GHz i7 w/12GB RAM.
I think my favorite part of it is that the issue itself of blocking everything for network calls is like one of the first things I learned about Windows programming in the early 2000's.
It's not just rogue AV software. Buggy, insecure AVs are a big problem too. They're attack surface! Especially when running parsers and interpreters for untrusted inputs in kernel space.
If I were a black hat, I think that the best gift I could hope for would be a 3rd-party program, likely developed on the cheap, whose entire purpose for existing is to sit in kernel space and promiscuously open Every. Single. File. in order to process its contents.
(Granted, I'm a complete layperson in computer security, so there's likely something I'm missing.)
Even when they don't expose any security holes, they bog the computer down so much that I'd almost rather have a virus - at least a command-and-control virus might take steps to make me unaware of its presence.
It’s a thing in big orgs, where macros are enabled in excel and employees can be tricked into opening mail attachments. Windows defender should suffice, but like you said, from a compliance/insurance perspective it may me valuable to say “look, we scanned for signatures according to the latest knowledge of [insert vendor]”.
Personally I think that it’s ridiculous that these huge orgs fail to address the actual underlying issue, excel macros. But hey, it’s easier to fight the Symptome than to deal with the root cause, especially if the latter would impact established work flows god knows how far down the line.
I seem to recall an article about a big org, probably in Finance, which took a serious look at the Excel Macro thing. Only a puny fraction of their employees, pretty much all in a couple specialized departments, actually used those. SO - outside of those few and their dept's, all macros were disabled/banned by fiat. Which allowed the relevant malicious-macro-prevention resources & training to be focused on those few.
Draconian bans probably aren't the best way to achieve it, but if it's productivity your org wants they should concentrate on migrating those workflows out of Excel ASAP.
The problem with macros is that people are running arbitrary code that's emailed to them. I don't see how Python solves that at all. If someone isn't checking the macros in the sheet they received before running it, they're also not going to check the code in the Python script.
I have personally watched Windows Defender fail to notice a real virus infection from a USB flash drive. The USB flash drive was plugged in and instantly Windows was infected - Windows Defender did nothing. You could then manually run a Windows Defender scan and it would find the infection but it would not prevent the infection.
I think one's need for a security product should match one's exposure to issues - it depends on your org. For a very long time I was not a fan of anti-virus, in 2022 I'm back to liking anti-virus (more like EDR these days).
MS Defender used to automatically scan USB devices when plugged in but that's not the default anymore (and AFAIK hasn't been for a few years since one of the major updates); you now have to enable it somewhere non-intuitive (like the Policy Editor?).
Not really, when you consider that there are tens of thousands of USB devices that work with Windows, many of which can operate like a flash drive even though they aren't (like cameras). I can imagine MS disabling this feature by default due to the headaches involved.
Notably, autolaunching USB drives is also no longer the default option for USB devices. The user has to specifically choose what action happens when the device is first plugged in (and by default, that choice only applies to the current instance; the user must manually choose to have the choice apply the next time the device is plugged in).
My point is that people thinking that Windows 10 comes with Windows Defender, and that Windows Defender will protect them by default, are in for a surprise. Defender probably is not doing anything you might think it should, by default.
Yes. It was not a current virus, came from an old UEB flash drive that had been lying around for years. GravityZone noticed it and prevented it, which is why I knew to go look at the Win10 box the flash drive was last plugged into. Windows Defender's silence would have left us with the virus installed because it was not periodically scanning on its own.
I did not confuse them. Yes, I mentioned GravityZone in a follow - which is a BitDefender product, and is the product that found the issue when Windows Defender did not.
The software we develop should have better interfaces too. A security expert should also review stuff created by UX.
Back when “I love you” virus started, we had pointed out something simple as “open for read” vs “open as in run/execute” should not have had the same interface.
All the new security enhancements we have today - don’t run as admin, alerts to request privileged access, sandboxing - all of them existed for a decade, but the software vendors never had the guts to weigh security higher than UX
This is why people don't like IT staff a lot of time. They think their needs of making their own jobs easier outweigh those of the organization and getting stuff done.
The bigger problem is that the IT staff is often so ludicrously underfunded, that they ARE a bottleneck. There probably are ways to manage team/personal productivity with organization needs, but without time to dedicate to analysis, you get blanket solutions. Which is another reason why self-provisioned SaaS rather than IT managed systems are big.
This may work some of the time, but expect "I need $windows_program" to foul your chances of this. It may not always be legitimate, but telling heavy-duty transport mechanics they can't have Cummins or Bendix software (for engines and brakes) to help them diagnose, when that's the only output for troubleshooting supported by the OEM, will not end well.
This makes me thing: When we are going to see those Windows software directly on the web?
For me makes a lot of sense being able to sell a software subscription instead of a one time product sell, and for the other hand making available to use in any device in the world with internet connection.
This also can be done like Chrome apps (like Docs) or some Electron apps (like Spotify), where you can use content without Internet for some time without any problem.
For a mechanic who is looking for the amount of torque needed on a bolt this could be perfectly viable, for example.
> For a mechanic who is looking for the amount of torque needed on a bolt this could be perfectly viable, for example.
We're going to start talking past each other pretty quickly if you think this is worthy of a (software) service subscription. Torque specs belong in a manual (ideally on corporate intra-net or paper); I'm talking about when the engine is deeply unhappy, and you need more to go on than a driver reporting a yellow check light.
In the case of the latter, I'd say it absolutely deserves to be a 20 year old program (which tend to be lighter) that runs entirely offline. The last thing any garage wants to do is chase hardware requirements or search for a wifi signal either out in the yard, or in between hoists, lifts, and miscelleaneous heavy equipment / tooling - all of which tend to trash a wifi signal.
I used to work on the team at Mozilla that got stuck with dealing with all the terrible shit that AV programs do to web browsers. My recommendation for Windows users is to just use Defender.
All that other crap does the exact same stuff to other programs that malware does, except they do so in the name of "security."
Our bog-standard business ultrabooks have been requested to perform a full disk scan each Friday. Which means their CPUs and Fans are running solid, most all Fridays.
I'm CERTAIN there are massive hidden costs in fan replacement and Laptop repairs and nothing useful discovered as a result.
It surprises me how much many posters on Hacker News seem to be against using any sort of AV software - not even the built in Defender solution in Windows, if you have to use the OS for whatever reason, but i often see the sentiment expressed that supposedly the entire class of software is useless.
What happened to defense in depth with all of the layers you can introduce?
Surely if you run a Linux server, you might want a secure password for it, or better yet, key based authentication. Port knocking? Why not, throw it in there as another layer. Maybe deny authentication on an IP range basis? Why not. What about fail2ban or some other solution like that to disallow brute forcing? Sure. Or maybe require using a VPN to connect to it at all? Even better! Actually, even running your SSH server on a non-standard port will be enough to get rid of some attempts to brute force the password.
Sure, key based auth makes many of those moot points so i probably have the order of some of those steps wrong, but surely there's a lot of merit in combining whatever solutions you can to make the end result more secure, right? Hell, if you're running a web service of some sort or an application for yourself, adding basicauth in front of it at a web server level is enough to act as a safety net should the auth functionality of the actual application be broken, until you patch it.
So why should Windows be any different? If i'm stuck using that OS, i'd surely want to use whatever software is available to me to make the uphill battle towards something vaguely secure more doable, no?
> What happened to defense in depth with all of the layers you can introduce?
What happened was antivirus itself became your biggest attack vector, so you were more secure without it. Plus Microsoft actually cares about security now, which wasn't the case 10+ years ago.
For Windows one of the best things you can do, AV or not, is to NOT make your daily driver account an administrator. Create an admin account with a secure password and then another standard user account for yourself and use that standard user for everything. When installing something you will need to put in your admin password but it is really not a big deal to do so. Massively reduces your chance of ransomware and all kinds of crapware.
Enabling protected folder access and process isolation in Windows 10 is also a good idea.
It is not just UAC though - when your daily driver is NOT an adminsitrator then how is most ransomware or malware or whatever going to run and install itself in the first place?
UAC still pops up whether you use an admin account or not - it just requires the admin password when you use a standard account (which is, of course, still more secure). But the real advantage is that the account you are using does not have those admin privileges in the first place.
The other big advantage is that if this account is compromised in anyway (say if you used the same password to login to Chrome and Windows on your standard account) the hackers only get the password to your non privileged account. Of course this can be mitigated as well by really good password policy but I find for the average user they often re-use passwords and separating the two accounts forces them to often re-use the one that matters least.
tptacek could probably weigh in with a much better explanation.
The tradeoff for having AV is having a giant application in admin land which increases the surface area available for an attack. Combine this with the that fact you don't get much protection because a virus can just be modified until the AV doesn't detect it and AV's just aren't worth it. This trade off made sense 20 years ago because OS's were less secure so you were increasing your surface area by relatively less than you are now.
> but i often see the sentiment expressed that supposedly the entire class of software is useless.
AV software, including Defender, is not useless, it is actively harmful because it prevents people from running legitimate software without any recourse for non-experts or the original developer.
what happened was the security industry proved over and over again that it cant be trusted. most windows recommendations i see say to use defender since Microsoft already owns you
I have not thought about 3rd party antivirus software in a long time. Granted my only use case for windows 10 is gaming, and any binary (or any file really) that I download goes straight to virustotal before I open it.
Corporate “anti-virus” is much more than just anti-virus these days. Most of them don’t even call themselves anti-virus, but endpoint protection. Other than anti-virus, they let you set policies on USB ports, block web browsing by categories or specific domains, let you run software inventory reports, etc. These things are very important, especially with work from home, as you can’t really block things at the office firewall anymore.
To disable the build-in one. Windows defender acts wild randomly during you do serious work is a huge pain for many people. Can you imagine. You play FPS happily at 120fps and windows defender suddenly kick in and you got 10fps, shoot down by the enemy team. It happens all the time.
Windows has had "Microsoft Security Essentials" built-in for longer than I can remember (10+ years?). It's not a terrible thing and keeps out of your way and doesn't seem to bog your machine down. Unlike the steaming pile of crap that my work computer runs (EndPoint) that consumes 60-80% CPU when doing its weekly full scan for over an hour right in the middle of the working day.
MSE is really all I've used since binning AVG which turned into bloatware.
Took me a while to figure out why my browsers always seem to randomly pause for about 30 seconds. It's that piece of crap McCaffee. I can watch it's process go to 100% when the browser (firefox and vivaldi) freeze. It's garbage and I wish I could turn it off and just use MS AV but the IT staff swear by McAffee so I live with it.
I feel your pain. We have a load of other crap loaded such as Umbrella that is supposed to protect us from harmful websites. It does stuff like intercept DNS lookups etc. It's such a pile of shite and doesn't work properly when I need VPN into our cloud infrastructure. When it's configured so badly it feels really anti-work. But hey ho, "security reasons".
My company forces all of us to use a product called Zscaler. I have no idea if it is effective, but it is constantly running and uses the vast majority of my CPU. The degree to which is slows down my computer and slows down development is astonishing. I have to wonder, across the entire company, if the potential cost of stuff lost that zscaler supposedly protects us from is worth more than the real cost of lost productivity, not to mention whatever they are paying for zscaler itself.
You should see if you get them to debug the situation. Unlike plenty of bloatware discussed on this posting, zscaler is usually not that resource intensive. It is more of a better corporate VPN, than it is a AV tool.
There really is not. Windows Security is insanely good at detecting everything nowdays. I still use Malwarebytes Antimalware as that was really good at detecting things back in the Windows Defender days, and i still have a lifetime subscription. But i feel even that is not really necessary, you can run the free one every once if a while to find bad cookies and such.
I don't think you're wrong at all. Considering symantec is mining with your computer on top of all the other terrible things anti-virus companies do to your computer, at this point a virus might be less intrusive.
EDR is the future, not impenetrable by any means but it protects enterprise a great deal. And it allows the network admins some control, which makes everyone feel good.
> Kaspersky also maintains that it “doesn’t have any ties with any government, including Russia’s
This take is either naive in the extreme, or disingenuous.
For a security company trying to maintain a trusted reputation, neither of those two options is good.
While possibly technically accurate, it is a dodge or a flub that overlooks the fact that their autonomy can be usurped by the governments where they are based and where they operate.
To be fair, this is true of almost any company I can think of, although I wonder if a DAO could get around it.
The same can be said about any vendor in the world, though.
Any of them is one NSL away from becoming a spy, wrecker or saboteur.
If your threat model includes foreign governments, don't use foreign closed source software. If your threat model includes your government, don't use domestic closed source software.
Or do, but either be ready to mitigate the harm, or be willing to live with it.
In the long term, this will prove to be a good decision, as other countries figure out that US companies (Microsoft, Google, FB, Twitter, Master, Visa etc) are in bed with spy agencies of the US. Other countries are given more reasons to NOT depend so much on these companies.
Why do we accept the risk of intrusion from antivirus software at all?
All antivirus software developers should open-source their traversal software and thus guarantee that no harm can be done. The scanning doesn't need write access and doesn't need network access.
While I understand the intent behind your comment, the only thing that would achieve is to allow people to reverse engineer and discover more vulnerabilities
I spent Sunday researching alternatives, then uninstalling KIS and trying to install BitDefender.
From this I conclude that the current state of AV/Security apps is dismal. Researching alternatives is difficult, it falls directly into the cesspool that is web product recommendation in 2022. Trying to weed out the garbage articles, I find a handful of apps that are consistently rated that the top.
I discarded the recommendation of McAfee. I'm forced to use that awful thing at work, and I won't deal with the performance penalty it exacts. I wound up deciding that BitDefender was the best choice.
But setting up the new software has been an awful out-of-box experience. Configuring the tool was a serious chore. The tools (like for the firewall) were clunky and difficult to use, and once I finished on one machine there's no way to export the settings to apply to other devices. Going to their website to make suggestions, I found another post indicating that their tool is unable to restore from quarantine, files that belong in protected parts of the filesystem. The support analyst had replied "thanks for the interesting suggestion" - for something that seems like a Severity 1 bug!
I'm not trying to advocate for Kaspersky - I can see that with security being its raison d'etre, they're a bridge too far. But come on, the rest of the industry really needs to get their act together. The KIS product is really head and shoulders above other products I've seen, and we should be competing on the merits, not just "the Russians are a*holes".
I fully agree that the antivirus market is a cesspool, and long has been so. The upside is that Microsoft’s first-party solution is decent and ships with the OS, so you can sidestep the entire project of figuring out which third-party AVs somehow manage to do more good than harm.
I haven’t looked into AV for macOS in ages; when last I did (~5y?), Sophos (if corporate/paid) and ClamAV (fine for home use) seemed reasonably non-interfering.
I'm curious, can you tell me why Windows Defender is inadequate? I also gather that Microsoft sells an enhanced version for businesses with needs beyond local machine antivirus.
I guess that's a fair question, as it does seem to suffice for most people. I have a few reasons:
* Extensive use of Chinese sites, which are quite a mess. I think the risks of visiting that part of the Internet are much greater than someone engaged in more typical usage.
* Features like firewall are useful for things other than protecting against direct hacks, and I use it to ensure privacy and occasionally even to simulate failures when testing my code. I think that Defender has such a thing, but less sophisticated?
* Probably just being more paranoid than most, having lived through an era when less protection was available, and having to un-hack family members.
ETA: also, it's good to have a different sort of protection when the majority is all homogeneous. Windows Defender is the obvious high-value target for hackers. Same kind of weakness and monoculture.
I'm in the space and it's actually pretty rare to see a real 3rd party host-based firewall. Most AV products that have firewall really just offer a different control surface for the built-in windows firewall or iptables.
I can't speak to its inadequacy, but I can point out that it is obviously unethical for Microsoft to sell a broken operating system and then separately profit from a product that mitigates part of what is broken in Windows. Microsoft now has no incentive to fix Windows, and, in fact, benefits from not fixing it. Seems to me that is a job for Linux, anyway, and this one time Linux fell down on the job and failed utterly, iow, not even Linux can make Windows secure. Does anyone else see the irony of the FCC banning Kaspersky? It is as silly and ineffective as banning viruses and malware. If they had any concern for security as opposed to security theater, they'd ban Windows.
That's not really a fair critique. Maybe if this was the year 2000. But modern 'antivirus' isn't about fixing a poorly designed OS. It looks for known malware signatures, detects suspicious activity in other software, and so forth. You need that kind of thing on any platform, especially ones that run a web browser and/or let users install the software of their choice.
All of that functionality is available in the free version. The paid version is for managing the security of entire large networks of devices from things like ransomware and advanced persistent threats.
> That's not really a fair critique.... You need that kind of thing on any platform
This is the boilerplate response to the valid complaint that Windows security is a nightmare. While in theory, other platforms (Linux, BSDs, and idk, OS/400, OS/2, etc.) technically can get infected by viruses, in practice, infection on these platforms would be a vanishingly rare oddity, even compared to the also incredibly rare cases of intrusion.
That said, every major non-Windows platform in its default install configuration is inherently more secure than a Windows system that has had all of its known default security issues addressed, even those beyond what Windows Defender provides. Windows is not simply a more attractive target for malware authors because it is a more popular platform with a larger install base, it is a more popular target because it is inherently insecure, and we know it is inherently insecure because it would be foolish for anyone to run Windows and access the WWW without first addressing its security issues.
It is possible, and likely even probable, that someone could use an unhardened, non-Windows system in its default install configuration for ordinary personal computing for years without ever experiencing the security threats that online Windows users face on a minute by minute basis.
But to be fair to Windows, it honestly often is a turnkey solution to whatever office computing needs there be, and without it, information security, as an area of study, as a profession, and as an industry, would not even exist as we know it today. The fact of the matter is that Windows' security issues (and other issues Windows exhibits unrelated to security) creates jobs, and this can not be ignored. Arguably, the jobs Windows creates are more important than the security issues it introduces. Also, to be fair, without C, C++, .NET, Python, Perl, and JavaScript, Windows would probably be 90% more secure, so it is not all Microsoft's fault and, in a sense, some of the problem is beyond their control.
>That said, every major non-Windows platform in its default install configuration is inherently more secure than a Windows system that has had all of its known default security issues addressed, even those beyond what Windows Defender provides.
Highly disputed.
>Windows is not simply a more attractive target for malware authors because it is a more popular platform with a larger install base, it is a more popular target because it is inherently insecure and we know it is inherently insecure because it would be foolish for anyone to run Windows and access the WWW without first addressing its security issues.
Do you have any specifics about any of this? It really just sounds like Slashdot talking points from the Windows XP era.
With something that has hooks that deep in your OS, blocking internet access via the application itself is not going to be effective in any way if it's hostile software (or turns into hostile software via government decree).
Devils advocate: that efficiency is one important reason why we're rich enough to be able to afford so much else. Like, CO2 emissions are best controlled by societies who are able to shoulder the greater expense of avoiding coal and such. If we can't count on these efficiencies, we're going to lose a huge amount of positives.
This sounds to me kind of like the fallacy of "if it saves even one life, it's worth it". That's of course ridiculous, because saving that life costs so much that we'll be unable to save countless other lives. In reality, the balancing of costs and benefits is much more subtle and complex.
That was actually going to be my first choice. From what I read it seems better polished than others. But then I read some recent lab tests in which ESET missed blocking a ransomware attack. And that's the threat model that worries me the most.
Any anti-virus can miss a malware at any time because they rely on updates which take at least a day if not more to be prepared and tested before being distributed in the updates. Don't worry about ESET missing one ransomware attack in a lab test. Do backups daily.
So... let's say a person still wanted to use an Antivirus product anyways, despite not really trusting them due to reasons like this article here; or anything you can say about Norton, etc, etc.
What would you all suggest? Aside from McAfee, Norton and of course Kaspersky. I'm all ears. Some helpful hints though might be:
1. I don't want it giving me pop-ups constantly to remind me of a sale they are having.
2. It can't interfere with legitimate programs more than once in a blue moon.
3. It has be capable of being run with other security software at the same time without incurring an infraction against #2.
4. It has to cost less than 100$ per year, if there has to be payment at all.
I'm asking this because I need a reliable choice to use when suggesting to my potential customers out there. I have some go to's that I used to use, but with everything the way it is right now; I want some input.
Yeah so, I normally am in the same camp. If I have windows running, it's likely just running defender and whatever other things I have personally done to the system to 'harden' it. (Lol... hardening windows... right.)
Anyways.
The point to my question was to find those few helpful anti-viruses and other programs that might help fill the spots that WD might not. Ya feel me?
I've considered Eset a few times before. Never went all the way yet. Thank you.
Anything in particular you want to add about it that might be a good tip or so? Something that only someone who's been using it for a while will know, kind of thing.
Back in 200x, we had a very old machine. It had 64Mb of RAM only. We had to install AV on this and through sifting through the AV softwares, only eset nod32 ran on it without slowing it down or taking too much resources. I like how they optimised it to the point where I could run it on that old machine. They say they write it in Assembly but I think it's just a marketing ploy. However the result satisfies me enough.
From then until now our business has gone through a lot but ESET has never been something that bothered us too much. It just sits in the background doing its thing. I have terrible memories of Symantec / McAfee just being annoying, but Nod32 is just the thing you install, it sits there and you can forget about it.
Ah yes. Assembly. I really should get around to learning it so I can test some game designs on my model 1 sega genesis.
I don't know if it's a marketing ploy rntksi. What you are describing so far sounds very much like it has been written in something like Assembly if not actually assembly. From what I know at least. (Could totally be way off)
Assembly as I know it, is used because it's not resource heavy if written properly. And an antivirus definitely needs to be written properly.
Anyways. Yeah, I am probably going to give it a look for use on my intel workstation/server. It's definitely one of the 'vulnerable' chips they released.
Thanks for the input. After having a look at some sites that compare the two's products on the consumer and business level; I think I am going to keep both available for customers in some fashion. Some might prefer one over the other, but I do have to say...
Eset seems to have more features, but they both trade blows on effectiveness according to some graphs. So I think they might be good to use with each other in tandem if they will play nice.
Just use what comes with microsoft. If you want another layer of scanning then install Malwarebytes. Those two should be plenty for anybody. Also set their DNS to use something that blocks known malware sites (quad 9 is what I use).
Quad 9 is useful, but I found some websites that should work ended up not working anymore or as well. Kind of annoying. But yeah, Malwarebytes is one I haven't thought about for a while. Last I saw one of their things on a computer I was fixing was also one of the last times I saw CCcleaner on a computer as well.
But yeah, windows defender IS usually good enough.
At least the business version of F-Secure is not annoying the living daylights out of me, although I have the more onerous securities turned off (like the browser protection).
In a way I get it. I also agree with it.
Europe should also try to reduce dependancy on American tech products for the scenario when the US becomes hostile towards Europe. A bit unlikely now, but you never know.
Agreed that Europe should reduce dependency on US tech product. Among the reasons is how the US govt has been caught spying on allies multiple times. Which is sad but a clear sense of ethics missing in the US govt (along with a long list of others).
> A bit unlikely now, but you never know.
On the timeline we exist, it's a possibility!
Not just europe. Europe makes the most sense because europe is the wealthiest region on earth and has the ability to fund its own tech industry. Europe did it for aerospace ( Airbus ), but why they aren't doing it for something far more important than planes is beyond me. But China, India, Japan, etc should all be developing their own tech spheres. I can't believe that any major country allows Windows, Facebook, Google, Apple, etc in their nation. At the very least ban it until they develop their own local competitors first. Not only would this be good for China, India, Japan, EU, etc, it would also be good for tech and the rest of the world since they will have more options. It's amazing how useless so much of the world's leadership are.
Nobody within the hacking scene actually believed that story. It’s remarkable that there’s been 0 evidence that Kaspersky has ever had a backdoor yet so many people believe it.
The NSA’s own incompetence led them to run an antivirus on a computer with Equation Group spyware on it. Keep in mind that Kaspersky had been fighting Western intelligence services for years at that point. Israeli intelligence actually breached Kaspersky’s network in 2015, no doubt because Kaspersky is the only AV company that actually exposes US-created malware.
I hadn't seen this. Wow, what a fail. Like not only factually wrong but parrots Putin's now quite obviously false narrative about the motivation, which I don't remember seeing anyone else outside of the Kremlin doing.
I'm happy with what I consider to be the most competent AV suite available, made by a team of researchers that is second to none.
If the U.S. accusations are ever proven to be true, I will reconsider. But I'm not holding my breath, since the U.S. has time and again been proven to be guilty themselves of the very thing they accuse others of, and refuse to provide any proof of.
What would you consider "proof"? I feel like it's not far fetched to assume the Russian Government can compel Kaspersky to do things. This same government is so insecure that they order assassinations of minor political opposition leaders
I'm surprised that everyone here thinks that Kaspersky makes only antivirus products. They have a ton of security products, including their own microkernel-based OS:
https://os.kaspersky.com/technologies/microkernel/
The original Russian title of the investigation was "Orcs who defeated the techies: How the siloviki infiltrated Kaspersky Lab — and what it led to", you can check this story in Russian here:
https://meduza.io/feature/2018/01/22/orki-pobedivshie-tehnar...
No source code publicly available? Available on millions of US computers?
That should automatically qualify it, and any other malware/proprietary software that's used by more than a handful of people, across a handful of US states as a national security threat.
Inevitable and good. I'm relieved that we are at least stopping the pretension that we don't have an ongoing conflict with the "totalitarian east" of the world. China and Russia are absolutely a threat to modern democracies and we have let the economic interests of the few override those concerns for far too long, with terrible consequences for both us AND their own population, which we contribute to the oppression of by propping up those totalitarian regimes with a constant stream of cash.
Globalization was a terrible idea the way it was done and I'm glad it's coming to a close.
In the new version a super AI computer is ready to launch a massive automated cyber war. While trying to get the 16 digit “launch” code it runs thousands of simulated scenarios. As things look dire, the hero has the machine play tick-tac-toe with itself…
Just before launching the attack it learns: The only way to win is not to play.
Seriously. What the hell is the world devolving into?
Here’s what I think an alien species watching earth from distant orbit would think: The people are OK. Their so-called leaders are insane. Every single war was started by their leaders. How odd.
What? I guess enjoy your strawman? I never mentioned the US and this isn't a comparable situation. I'm talking about a business decision to not be associated with the KGB in countries where you do the vast majority of your business (EU and North America)
Much, much easier to configure and manage and denies almost everything by default. Extremely easy to quickly unblock software as necessary too. 10-100x faster workflow compared to the built in firewall, so you will actually bother to use it instead of get complacent or ignore it.
Unironically, McAfee may be a greater threat to US national security than Kasperky. McAfee is actually used by the Department of Defense[1], and Kaspersky is not. Given how bad McAfee actually is, I think that that makes it worse.
I found it always fishy that telegram applauds itself for being a secure messenger but decided against encryption by default. With the flick of a switch every doubt would go away but alas.
The 3-letter US agencies do not have direct access to Telegram's servers, they do have when it comes to Whatsapp (or to any other US-based company). The same goes if you're a Russian doing anti-government stuff in, well, Russia, it's better to put your fate in Whatsapp's (and Meta's) hands, presumably the US agencies won't come after you for being against the Russian government. It's a classical game of arbitration (for lack of a better word).
I agree with your logic, though a paranoid person might point out that they don't need access to telegram's servers; access to the app store or to automatic OS updates would be enough.
You agree to the logic based on a false premise that the 3-letter US agencies do not have direct access to Telegram's servers which are located in the US (among other places).
I've been amused by the number of technical people that prefer Signal vs just not shutting up about the messaging app they use and not pretending like they're some sort of authority on the topic instead of someone who deals with SOC2 compliance daily.
(This is actually independent of you or Signal, I just find it amusing that people throw their security brand™ behind some app and it's just them picking the one they like most of the time.)
Telegram is fine if you just use it for 1on1 conversation with encryption enabled. The same goes for whatsapp (encryption is enabled by default). If you are looking for secure group chats signal would be my choice because it skips the server (WhatsApp sends all group messages to a server before distributing it). There are also more exotic providers like threema, matrix and many others but the onboarding for non technical users is harder, though they also have advantages like not needing a telephone number to sign up. For the general public I would use Signal mainly because it’s directly in the middle of security and ease of use.
End-to-end encrypted by default doesn't mean much if you don't trust the third party providing the software that does the encryption. One automatic app update can enable leaking of encrypted communication.
The bigger problems for me would be the appstores because they could implement a mitm. Telegram and Signal have their client sources open so you at least can check and compile them yourself but if I would handle data that was so sensitive that I can't trust any other entity I would just self host matrix or xmpp and chat with myself...
Who also promised to cooperate with russian government in exchange for lifting the ban on the app.
And even if he didn't, if you run the most popular messenger app in Russia you can't simply hide behind "citizen of some other country". KGB is known for poisoning/shooting people abroad for much less, and especially if you have family or close relatives back in your country of birth you really have little leverage to speak of.
The White House campaign to explain its Russia policy on social media did so via Chinese properties Zoom and TikTok. I don't think we can rely only on domestic production right now.
Russian citizens != Russian government. The Telegram development team is not on good terms with the Russian government last I read. With that said, it still operates within the borders so it's subject to government control (just as any US-based messaging service is subject to US government control). It's always a cat-and-mouse game between those who want free, unfettered, unmonitored communications and the governments that feel threatened by that kind of freedom.
You are thinking from a completely different perspective.
There's nothing for governments to allow people to communicate freely. Telegram is one of the few platforms that allows that... and this is a good opportunity for the US government to do that.
Kaspersky has a very good research team which uncovered a lot of APT hacking groups including Russian ones so I don't see a reason why would they be a threat. But on the other hand Russian state can force them to snoop files and traffic from their clients but I doubt that will happen because everyone would stop using them and they would go bankrupt. Imo US government should use domestic antivirus solutions.
EU, US and their allies can kick Kaspersky off the market. It would be a game over for Kaspersky meaning zero installs(licenses) and zero revenue. It is not worth to do it not even in the short term. Trust would be forever lost.
>> The Russian state might not care a lot about that possible consequence and still coerce them to include malware in the next update.
> EU, US and their allies can kick Kaspersky off the market. It would be a game over for Kaspersky meaning zero installs(licenses) and zero revenue. It is not worth to do it not even in the short term. Trust would be forever lost.
Do you think Putin would shed even a single tear over Kaspersky, if what you describe was the consequence of him getting something he wanted?
30/03/2022
my.kaspersky.com account got wiped, passwords saved in password manager are gone.
account related to my licence on store.kaspersky.com remained.
Their customer service were willing to argue that i had no account on my.kaspersky.com, this issue is unresolved until now.
My email communication to their customer support is not rejected on their side.
At work we are required to have EDR software by our accounting firm (accounts inserting themselves into IT is annoying). We were running Kaspersky as well until this happened though we were already unhappy with it so no loss.
Anyway it made me think: is there a way to roll your own EDR for Windows/Linux/BSD? Basically, can we do EDR without the EDR software?
Trusting a security firm is a chain of custody problem, which ultimately goes down to where are the premises and what is the legal and governmental environment. If this last stop cannot be trusted, then I guess it break the deal for some sensitive clients, understandably.
I understand why this decision was made. However I want to put it out there, the Kaspersky antivirus and also the Kaspersky internet security suite helped save my business behind so many time back 15 years ago. Great product, the best I knew of in the Anti virus class.
Doesn't any foreign company contributing a device driver to Microsoft present the same risk profile (could be based in Russia, or infiltrated by russian agents, or hacked by russia)?
German policy was out in la-la land. Politicians sold the public on green policies before the infrastructure was ready and heavily relied on imported non green energy to get there. They didn’t have to shut down their nuke plants, but ‘make happy’ led them down that path of dependence —just as most of the industrialized world is dependent on another questionable government for consumer goods and microelectronics. Offshoring is awesome for the ruling class until it isn’t.
Wonder if Google, Facebook, Twitter, Microsoft, etc will be added to this list. While US may consider them national security assets, it is usually the opposite that is true. Like building backdoors into encryption, these services build backdoors into peoples lives. Also note, it usually often only takes one rogue employee with superuser access to compromise a system.
They're US companies, which means the US has a variety of options to influence its operations. While there are a variety of risks that such companies present, Kaspersky is in the qualitatively different situation that a different nation-state has greater influence on its operations.
This is by design. All those companies are in bed with the feds, and no matter what administration.
The State is not there to protect and serve you. Unless proven otherwise the State sees you as a potential enemy.
:format(webp)/cdn.vox-cdn.com/assets/2858265/prism-slide-7.jpg){kind=link}
I am a patriot, but even I don't appreciate being lied to by my government. It would be good if the next best cyber security firm and software was half as good as Kaspersky's. But I suspect not.