Why Avast Won't Show Source Code To the Government, But Others Do (zdnet.com) 79
An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."
Re: (Score:2)
RE Security Software (Score:1)
Re: (Score:2)
What good is open source hardware? How are you sure that your open source hardware hasn't been compromised between the factory and your house? Can you really be sure that the documents detailing the open source design of your hardware are actually being followed. Is there really anyway for people to verify what's going on inside the CPU?
Re: (Score:3)
How are you sure that your open source hardware hasn't been compromised between the factory and your house?
That Fed-Ex driver is a sneaky one with mad hacking skills!
Re: (Score:2)
That Fed-Ex driver is a sneaky one with mad hacking skills!
Actually there are numerous documented instances where one three-letter agency or another has intercepted computer hardware en route, added tracking or monitoring hardware/software, and then resealed the box so it could be delivered. I don't have citations at hand, but I believe both the FBI and CIA have admitted to doing this. I think possibly the NSA as well but I don't recall for certain.
Re: (Score:2)
It still means that open source software in many areas is likely to get a huge, spy vs spy, push, because no one trusts any one any more because a lot of the spying has devolved to extortion scams (to force political alignment against the wishes of the majority, also very corrupt government private business 'er' partnerships) and industrial espionage as well as off course very focused capital investment espionage (think insider trading upon a mass scale based upon stolen data, NSA/CIA insiders, literally b
Re: (Score:3)
"Photos of an NSA “upgrade” factory" (May 15, 2014)
http://arstechnica.com/tech-po... [arstechnica.com]
Re: RE Security Software (Score:1)
"Numerous" is an inflation. There's one known instance, which is reason to believe there may be others, but no other examples are known publicly.
As for why Avast hasn't been asked -- the government hasn't used their software. It's as simple as that.
Re: (Score:2)
"Numerous" is an inflation. There's one known instance, which is reason to believe there may be others, but no other examples are known publicly.
I tried to locate the page which detailed this but couldn't find it. I seem to recall it was an ex-DEA or NSA employee who was explaining it. He recounted that this was done very frequently, with his involvement in over "a couple of hundred" instances. Unfortunately I can't find the page, but it was quite clear that it was by no means limited to one or even a few instances.
He detailed how they worked closely with UPS, FedEx, DHL, and the USPS to divert packages, fiddle with the hardware, and then seal every
Re: (Score:1)
Re: (Score:2)
Based on the Symantec quote, it seems more like the NSA wants to audit the anti-virus before it gets used on government systems. So, more likely, Avast isn't asked for their source because they're not getting greenlit to be installed.
Re: (Score:2)
Based on the Symantec quote, it seems more like the NSA wants to audit the anti-virus before it gets used on government systems. So, more likely, Avast isn't asked for their source because they're not getting greenlit to be installed.
Bingo. There are certain gov organizations that you can't sell into unless you let them audit your source. It's not just the US either. Also required for certain Russian certifications (for example).
Security through obscurity? (Score:2)
Well, that one never did worked...
heh (Score:1)
so that's it for Symantec and Mcafee. Keeping Avast, kthxbye.
my theory (Score:2, Funny)
Re: (Score:2)
Re: my theory (Score:1)
Or they already had what they needed from Avast.
Re: (Score:2)
For a list of products that have had at least one government(or their representatives) crawl through the
Re: (Score:2)
We need community alternatives (Score:2)
Truecrypt was a community project as is its successor. Not to mention Linux and the like. There is no question this model works at this point.
We need something similar for anti-virus/general security software for non technical-people.
Let corporations wast money on junk like McAfee and Symantec...millions for peace of mind and not much else.
Let the community have an option that we can rely on as being non-backdoored, and that non technical users who need this such as journalists can have a reliable option.
KG
Re: (Score:3)
The model works for Linux and True Crypt because the barrier to entry is low. Anyone can work on those projects with just about any PC from the last decade in their basement.
No you can't probably hack on a specific hardware driver much without buying some kit but most people doing that have said kit and are incentivized to make it work for them, then they just share. I know some of the kernel driver devs 'work for kit' too send me a shiny new iWhatever and I'll try and update the iWhatever N-1 driver to w
Re: (Score:2)
A unique "equipment interference" project would then create gov malware just for that user. No signature would/will ever exist as it is one of one. Any outgoing software firewall would see it as been allowed/trusted by the user.
Heuristic analysis can help. More security on the average AV phone home, update functions was often lacking allowing governments to have a good understanding o
China is dumb (Score:1)
China is dumb for disallowing Symantec because they think it includes backdoors for the USG, while they continue to use Windows which almost certainly has such backdoors.
Re: (Score:1)
they are relying on MS incompetence to do it in a easy to intercept/decipher/block if needed.
Re: (Score:2)
And Symantec is competent in what reality? Have you used Backup Exec? or Antivirus? or their Anti-Spam or really anything of theirs?
Re: (Score:2)
They give the Chinese government something they claim is the Windows source code. Unless China is compiling it and distributing the output, there is no reason to believe it's what they're actually running.
China is whaaat? (Score:1)
"China, a known cyber-adversary of the US"
Says who?
Says the same folks that fingered Iraq for 911?
And just what constitutes a "cyber-adversary"
Does that mean we are both in the playoffs?
Welcome to SlashFox!
Re: (Score:2)
Says the same folks that fingered Iraq for 911?
So, um, no one?
Iraq was about their claims to be building a nuke, while importing Yellow Cake Uranium, and refusing nuclear arms inspectors. It never had anything to do with 9/11 except that it happened shortly afterwards.
Re: (Score:2)
And if Iraq was about oil, why did not one US company get in on the rebuilding, transport, or refining of Iraqi oil?
because the jackasses that lied our way in planned the exit just as well as the entrance?
Thousands of active chemical weapons, millions of liters of dual-purpose chemicals, and hundreds of tons of uranium don't count as WMDs?
No they don't [wikipedia.org]. They didn't have ANYTHING remotely close to what was promised they had. A few relic bombs is not a justification for invasion of another country.
Re: (Score:2)
I say again it takes two to tango. If there was nothing to hide when it became very clear we were moving forward with an invasion force Saddam still could have said "wait time out, look at whatever you want wherever any time" The US military rather than the UN inspectors could have gone in a done the verifying. He did not do that even though he had to have know there was no possibly way his forces could repel a US invasion.
This leads me to conclude there are a few possibilities:
1) Saddam thought he had w
Re: (Score:2)
My assumption is also 2, my guess is that his were the chemical weapons used in Syria, not the Syrian chemical weapons.
The US telegraphed our attack way in advance, I don't recall exactly how long it was, but my belief is it was months. There was plenty of time to move the weapons over the border into Syria.
For the Bush lied fanatics, I keep this link in a text file on my desktop, it lists tons of people in the DNC and Clinton's cabinet talking about the WMD:
http://politics.slashdot.org/c... [slashdot.org]
Personally, I d
Re: (Score:3)
I always find it amusing when Americans like you don't even know your own recent history. Read and learn, you smug, cretinous dumbass:
http://antiwar.com/blog/2013/0... [antiwar.com]
Re: (Score:2)
I know the history quite well, I was an adult working in the defense industry for the whole thing. There was never any claim that Saddam had anything to do with 9/11, that was why the invasion of Afghanistan happened, not Iraq. Iraq was about WMD and the very strong and right belief of WMD there. Saddam thought he could bluff having the nukes to keep the US and Iran from invading him, he prevented UN weapons inspectors from entering the country and inspecting the weapons sites. He bought Yellow Cake Ura
Re: (Score:2)
That is a plain, flat-out lie, and you know it.
Cheney and the rest of that odious crowd made it Job 1 to convince Americans there was a connection.
They succeeded.
Why they wont... (Score:2)
Because they weren't asked. No need to make up other reasons Avast, just because you weren't picked.
The government obviously isn't trying to have a peek at all anti-virus/security software.
They probably only want to look at the code for the software they may want to actually use, since it runs at the highest privilege on all their workstations and inspects all the email on their mail server, etc.
Re: (Score:2)
In other words, lemonade!
USG wants to purchase security software and roll it out across their various departments
Easy for them... (Score:2)
"they refuse to share their source code, and that the U.S. government hasn't even asked them"
How wonderful of them! That's like me saying that I haven't killed anyone for $100,000 even though nobody every asked me.
It's easy to be moral when you haven't been challenged.