Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Government Security Software

Why Avast Won't Show Source Code To the Government, But Others Do (zdnet.com) 79

An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."
This discussion has been archived. No new comments can be posted.

Why Avast Won't Show Source Code To the Government, But Others Do

Comments Filter:
  • They didn't ask Avast for their source code?
  • Security Software is a misnomer in this case. You can not convince me that any software that is not open source (with open source hardware btw) is safe or secure in any way. That's not what the NSA says tho
    • What good is open source hardware? How are you sure that your open source hardware hasn't been compromised between the factory and your house? Can you really be sure that the documents detailing the open source design of your hardware are actually being followed. Is there really anyway for people to verify what's going on inside the CPU?

      • How are you sure that your open source hardware hasn't been compromised between the factory and your house?

        That Fed-Ex driver is a sneaky one with mad hacking skills!

        • That Fed-Ex driver is a sneaky one with mad hacking skills!

          Actually there are numerous documented instances where one three-letter agency or another has intercepted computer hardware en route, added tracking or monitoring hardware/software, and then resealed the box so it could be delivered. I don't have citations at hand, but I believe both the FBI and CIA have admitted to doing this. I think possibly the NSA as well but I don't recall for certain.

          • by rtb61 ( 674572 )

            It still means that open source software in many areas is likely to get a huge, spy vs spy, push, because no one trusts any one any more because a lot of the spying has devolved to extortion scams (to force political alignment against the wishes of the majority, also very corrupt government private business 'er' partnerships) and industrial espionage as well as off course very focused capital investment espionage (think insider trading upon a mass scale based upon stolen data, NSA/CIA insiders, literally b

          • by AHuxley ( 892839 )
            Re "... added tracking or monitoring hardware/software, and then resealed the box so it could be delivered"
            "Photos of an NSA “upgrade” factory" (May 15, 2014)
            http://arstechnica.com/tech-po... [arstechnica.com]
          • "Numerous" is an inflation. There's one known instance, which is reason to believe there may be others, but no other examples are known publicly.

            As for why Avast hasn't been asked -- the government hasn't used their software. It's as simple as that.

            • "Numerous" is an inflation. There's one known instance, which is reason to believe there may be others, but no other examples are known publicly.

              I tried to locate the page which detailed this but couldn't find it. I seem to recall it was an ex-DEA or NSA employee who was explaining it. He recounted that this was done very frequently, with his involvement in over "a couple of hundred" instances. Unfortunately I can't find the page, but it was quite clear that it was by no means limited to one or even a few instances.

              He detailed how they worked closely with UPS, FedEx, DHL, and the USPS to divert packages, fiddle with the hardware, and then seal every

      • Its this. ITs Peanut butter. He's going to ask me if I understand etc. He's going to confuse the subject. He's going to pretend and insist to the end that he doesnt understand. I understand -- he's a charlatan. Thinking I'm going to try and make him understand that's his mistake. Don't watch me wind up or nothing but your going to get jerked pal
    • You can not convince me that any software that is not open source (with open source hardware btw) is safe or secure in any way. That's not what the NSA says tho

      Based on the Symantec quote, it seems more like the NSA wants to audit the anti-virus before it gets used on government systems. So, more likely, Avast isn't asked for their source because they're not getting greenlit to be installed.

      • by tippen ( 704534 )

        Based on the Symantec quote, it seems more like the NSA wants to audit the anti-virus before it gets used on government systems. So, more likely, Avast isn't asked for their source because they're not getting greenlit to be installed.

        Bingo. There are certain gov organizations that you can't sell into unless you let them audit your source. It's not just the US either. Also required for certain Russian certifications (for example).

  • Well, that one never did worked...

  • by Anonymous Coward

    so that's it for Symantec and Mcafee. Keeping Avast, kthxbye.

  • my theory (Score:2, Funny)

    by kelemvor4 ( 1980226 )
    The USG probably didn't think avast was a big enough player to bother with.
    • Considering Avast currently leads the AV marketshare with almost 25%.....
    • by Anonymous Coward

      Or they already had what they needed from Avast.

    • My theory is that avast didn't ask to have their product evaluated so no government asked for their code to evaluate. To be able to sell security products to a lot of governments you need to be evaluated. Common criteria is an international group that standardizes and recognizes the evaluations across its members. Being CC evaluated puts you on the shopping list for a reasonably large government market.
      For a list of products that have had at least one government(or their representatives) crawl through the
      • by AHuxley ( 892839 )
        Yes a lot of the AV brands do that. They give their code to different governments and then tell the world their products are good. Governments looked at the code and allowed them to bid.
  • Truecrypt was a community project as is its successor. Not to mention Linux and the like. There is no question this model works at this point.

    We need something similar for anti-virus/general security software for non technical-people.

    Let corporations wast money on junk like McAfee and Symantec...millions for peace of mind and not much else.

    Let the community have an option that we can rely on as being non-backdoored, and that non technical users who need this such as journalists can have a reliable option.

    KG

    • by DarkOx ( 621550 )

      The model works for Linux and True Crypt because the barrier to entry is low. Anyone can work on those projects with just about any PC from the last decade in their basement.

      No you can't probably hack on a specific hardware driver much without buying some kit but most people doing that have said kit and are incentivized to make it work for them, then they just share. I know some of the kernel driver devs 'work for kit' too send me a shiny new iWhatever and I'll try and update the iWhatever N-1 driver to w

      • by AHuxley ( 892839 )
        The other issue is how a government will log a users daily AV upgrade patterns. What brand, version, when they update.
        A unique "equipment interference" project would then create gov malware just for that user. No signature would/will ever exist as it is one of one. Any outgoing software firewall would see it as been allowed/trusted by the user.
        Heuristic analysis can help. More security on the average AV phone home, update functions was often lacking allowing governments to have a good understanding o
  • China is dumb for disallowing Symantec because they think it includes backdoors for the USG, while they continue to use Windows which almost certainly has such backdoors.

    • by zlives ( 2009072 )

      they are relying on MS incompetence to do it in a easy to intercept/decipher/block if needed.

      • And Symantec is competent in what reality? Have you used Backup Exec? or Antivirus? or their Anti-Spam or really anything of theirs?

  • by Anonymous Coward

    "China, a known cyber-adversary of the US"
    Says who?
    Says the same folks that fingered Iraq for 911?
    And just what constitutes a "cyber-adversary"
    Does that mean we are both in the playoffs?

    Welcome to SlashFox!

    • Says the same folks that fingered Iraq for 911?

      So, um, no one?

      Iraq was about their claims to be building a nuke, while importing Yellow Cake Uranium, and refusing nuclear arms inspectors. It never had anything to do with 9/11 except that it happened shortly afterwards.

      • I always find it amusing when Americans like you don't even know your own recent history. Read and learn, you smug, cretinous dumbass:

        http://antiwar.com/blog/2013/0... [antiwar.com]

        • I know the history quite well, I was an adult working in the defense industry for the whole thing. There was never any claim that Saddam had anything to do with 9/11, that was why the invasion of Afghanistan happened, not Iraq. Iraq was about WMD and the very strong and right belief of WMD there. Saddam thought he could bluff having the nukes to keep the US and Iran from invading him, he prevented UN weapons inspectors from entering the country and inspecting the weapons sites. He bought Yellow Cake Ura

          • That is a plain, flat-out lie, and you know it.

            Cheney and the rest of that odious crowd made it Job 1 to convince Americans there was a connection.

            They succeeded.

  • Because they weren't asked. No need to make up other reasons Avast, just because you weren't picked.

    The government obviously isn't trying to have a peek at all anti-virus/security software.

    They probably only want to look at the code for the software they may want to actually use, since it runs at the highest privilege on all their workstations and inspects all the email on their mail server, etc.

    • by tlhIngan ( 30335 )

      Because they weren't asked. No need to make up other reasons Avast, just because you weren't picked.

      The government obviously isn't trying to have a peek at all anti-virus/security software.

      They probably only want to look at the code for the software they may want to actually use, since it runs at the highest privilege on all their workstations and inspects all the email on their mail server, etc.

      In other words, lemonade!

      USG wants to purchase security software and roll it out across their various departments

  • "they refuse to share their source code, and that the U.S. government hasn't even asked them"

    How wonderful of them! That's like me saying that I haven't killed anyone for $100,000 even though nobody every asked me.

    It's easy to be moral when you haven't been challenged.

Say "twenty-three-skiddoo" to logout.

Working...