The US Congress Is Investigating Government Use Of Kaspersky Software

An anonymous reader quotes Reuters: A U.S. congressional panel this week asked 22 government agencies to share documents on Moscow-based cyber firm Kaspersky Lab, saying its products could be used to carry out "nefarious activities against the United States," according to letters seen by Reuters. The requests made on Thursday by the U.S. House of Representatives Committee on Science, Space and Technology are the latest blow to the antivirus company, which has been countering accusations by U.S. officials that it may be vulnerable to Russian government influence... The committee "is concerned that Kaspersky Lab is susceptible to manipulation by the Russian government, and that its products could be used as a tool for espionage, sabotage, or other nefarious activities against the United States," wrote the panel's Republican chairman, Lamar Smith, in the letters... A committee aide told Reuters the survey was a "first step" designed to canvas the U.S. government and that more action may follow depending on the results.
Agencies contacted include both the Deparatment of Homeland Security and NASA. The committee wants to see internal risk assessments, plus a list of all systems using Kaspersky products and the names of government contractors using the software.

Dupe

[Kunedog]

dupe [slashdot.org]

Re:

[Anonymous Coward]

Seems like a campaign rather than simply a bunch of dupes; considering what's being dup'd.

Decisions, decisions

[nbauman]

Should I get anti-virus software that's pwned by Russia, or anti-virus software that's pwned by the US?

Re:

[Anonymous Coward]

Depends on where you live. Which government can prosecute you?

Re:Decisions, decisions

[AutodidactLabrat]

No, google "Bush Body Count" and make sure you separate the OLD bush from the NEW bush
While you are at it, look up "Reagan Scandals" complete with actual convictions
(Worst record ever)
And read the reality vs the lies about your hero [fair.org]
And once you're done wasting time, STFU with the right wing spew liars!

Re:

[Frosty Piss]

Should I get anti-virus software that's pwned by Russia, or anti-virus software that's pwned by the US?

For the individual, for personal use, it probably doesn't matter. And if you're running a recent version of Windows, you should not install Third Party virus software anyway, as Windows Defender is more than adequate.

What we are talking about here is specifically U.S. Government use of Kaspersky Bloat Ware, and in that context, they should definitely worry that Kaspersky is beholden to the Russian government as we know that governments including our own - ...caugh...SNOWDEN...caugh... - do in fact infect

Re:

[rtb61]

The same holds for all software. Any software that is electronically updated from a US location, should be considered suspicious and of limited trust, that includes operating systems ie Windows in not an anonymous update, they know exactly what computer is being updated and can and do, supply custom updates, right up to US security letter backdoor upgrades to crack not only the OS but on many computers the firmware.

Should US government agencies trust software from overseas, no, it's stupid, same as any oth

The Committee . . . which will live in infamy as:

[PolygamousRanchKid]

House Un-American Software Activities Committee

I am personally aware of 57 "nefarious activities against the United States," . . . most of them being performed by various US government three letter institutions . . .

Do unto others ...

[Troed]

The best part of all this is that it tells the rest of the world how much we should trust software produced by US based companies.

Re:

[Kaenneth]

Federal elections are every 2 years.

I'm Exceptionally Wary

[CAOgdin]

Given the Russian Government's utter reliance on subversive means, and their absolute control over the activities of every business, I cannot have confidence that Kaspersky has been granted any exception from those totalitarian rules. I would NEVER trust a product from a Russian business, and even abandoned Acronis (backup} for the same reasons some years ago. There IS no integrity in the service of customers in other nations that is safe from corruption in service to malevolant forces at play in the USSR government.

P.S.: Regarding the "Tophatter" ad, below...

[CAOgdin]

...they are apparently complete scam merchants. The products on offer could be cardboard mockups of the product being sold, not the product itself, for all the backup and support you can get. There is no way to examine the merchandise, ask questions about it, or validate the product at all. See http://www.ripoffreport.com/re... [ripoffreport.com] It will inevitably be a home for scammers to accumulate money from rubes.

I would encourage /. management to vet advertisers before taking their money for ads in this respected we

Congress Has A Crack Team For This Already

[MarcusOutrageous]

Why don't we have the IT Gurus who were handling 80 congressional offices investigate it? You know, Imran Awan and family. Oh right...one fled to Pakistan, the leader was arrested this week and barred from the Congressional Network by the police in FEBRUARY along with his family (but Debbie Wasserman Shultz gave him a laptop and made him 'Advisor') and asking about them is ISLAMOPHOBIA. Oh wait -- none of you heard about this? Right...that's cuz the Mainstream Media is in active collusion. Vote me down

Re:

[DNS-and-BIND]

USSR government? USSR government hasn't existed for about three decades, pal. Russia is a different country. The 1980s called, they want their Cold War and frizzy hairstyles back.

Just for show...the gov't doesn't "get" software

[El Cubano]

You can bet that this is for show. The government simply doesn't "get" software development. The understanding has been shifting over the last 10-20 years, but it is a very slow process which is partly frustrated by the loads of laws and regulations that affect government acquisition.

That said, I can share some anecdotes from my own experience dealing with government projects.

One was a while back (03-05 timeframe) and the place where I was at had was pretty small but was important enough that they had their own "computer security" guy on staff. I had a requirement to be able to SSH out to access a research system in a university lab. Of course, this outfit had everyone on Windows 2000 or XP, so I suggested PuTTY since nobody else there was using SSH and I figured it would be easier. As soon as the "computer security" guy found out that you had to download from some server in the UK, he gets all skittish. I tell him that it's fine, I had previously used it on personal, school, and work computers and that it was open source to boot. Well, at that point he about loses it. "Oh No! We can't have open source, plus it is developed in a foreign country!" I explained to him that not all of Microsoft's employees that develop Windows, Office, and whatever other MS software that was in use were located in the US and that even all those in the US were not necessarily US citizens. He was not that interested in the argument, and I might as well have been speaking to him in gibberish. I then explained to him that if he used the Internet that even Windows' network stack was based on open source components. I thought his head might explode.

After going through all that nonsense, that took way more effort than I thought it should, I came across some websites that experienced "difficulty" with rendering in IE. I requested Firefox (it may have still been Firebird or Phoenix at that time) and I thought the "computer security" guy was going to come across his desk at me for even asking. I gave up that fight relatively quickly and just did some of the browsing from my home machine.

Another time I was responsible for managing a network of RHEL servers and workstations that were not connected to the Internet. I had to make sure that when advisories and package updates came out that they were deployed in a timely manner. I would typically do this by downloading them from an Internet connected machine by going to RedHat's FTP site, burning them to CD/DVD and moving them via sneaker net. At some point along the way, they implemented a policy that blocked all FTP sites (including over HTTP if FTP was in the URL; dumb, I know). So, I walked to the helpdesk and requested that they unblock RedHat's FTP server so I could get the updates. They said that the policy was managed by headquarters and that I would have to submit a request listing each URL I would need unblocked (how was I supposed to get that information if they were blocked?). When I asked how long it would take, I was told around 90 days. I asked the guy if there were any other alternatives. He said (and I really wish that this were a joke and not the truth) that I could download them at home, burn them to a CD/DVD there and carry the disk into the building. I pointed out that the public Internet connection in the building had all manner of IDS, virus scanning, etc., while they had no idea what sort of security was on my home Internet connection. Still, he said that the policy allowed for media to be carried in as long as the person doing so initialed a form indicating that it had been properly scanned for viruses. I asked him if he realized how utterly nonsensical the policy was, and he said he did but that he could not do anything about it. So, I started downloading and burning at home then bringing in the CDs/DVDs.

Things are getting better in isolated pockets. Some folks in the government do understand the realities of how software gets developed now, the value of open source, etc. However, it is really an uphill battle and lots of stakeholders (especially contractors that make big $$$$ charging the government for custom development of everything) are threatened by it.

Re:

[BarbaraHudson]

If they're blocking it based on whether ftp is in the url, why didn't you just use the ip address and secure ftp port number - eg: 209.132.163.31:22?

But muh red-baiting!

[ErikTheRed]

This has got to be the dumbest tempest in a teapot ever conceived. The funny thing is that it's based on projection - it's the sort of short-term idiocy that American politicians and bureaucrats endlessly engage in. Putin may be a cold, ultranationalistic tyrant, but he's an extremely smart cold, ultranationalistic tyrant who is going to be in power for either as long as he wants to be or until somebody assassinates him. This gives him the luxury of taking the long view on issues.

To use Kaspersky's software against a foreign superpower is only a smart move as an opening shot in a hot war. This is because any spying or other mischief done through their product will almost certainly be caught. It's a (pardon the expression) trump card - you only get to play this card once and it's burnt forever. The only reason to worry about Kaspersky's software is if you're worried about a hot war with Russia, which is a mind-blowingly dumb move on either side. There are plenty of US politicians that are dumb enough to go there - they "need" to keep that military-industrial complex gravy train rolling, and people riled up about furr'ners tend are easy to make sign on to any asshat agenda.

Re:

[Nehmo]

This has got to be the dumbest tempest in a teapot ever conceived. The funny thing is that it's based on projection - it's the sort of short-term idiocy that American politicians and bureaucrats endlessly engage in. Putin may be a cold, ultranationalistic tyrant, but he's an extremely smart cold, ultranationalistic tyrant who is going to be in power for either as long as he wants to be or until somebody assassinates him. This gives him the luxury of taking the long view on issues.

To use Kaspersky's software against a foreign superpower is only a smart move as an opening shot in a hot war. This is because any spying or other mischief done through their product will almost certainly be caught. It's a (pardon the expression) trump card - you only get to play this card once and it's burnt forever. The only reason to worry about Kaspersky's software is if you're worried about a hot war with Russia, which is a mind-blowingly dumb move on either side. There are plenty of US politicians that are dumb enough to go there - they "need" to keep that military-industrial complex gravy train rolling, and people riled up about furr'ners tend are easy to make sign on to any asshat agenda.

The suspicious-Kaspersky story is just an extension of the general bad-Russia excuse the Hillary machine has been using for the past year. Kaspersky's only sin is being a Russian-based company. As software companies go, Kaspersky is probably more trustworthy than, say, Microsoft.

Re:

[sabbede]

I just want to know why the Federal government would turn to anyone but a domestic vendor for security software. It's not like we don't have vendors at least as good as Kaspersky, and the US government should really be buying American for the obvious economic reasons anyhow.

Tit for tat war?

[Stan92057]

And the Russian government will stop all their government offices from using microsoft and apple, google products because those us government corporations ARE susceptible to the NSA,FBI,CIA. the hidden US court and whatever other spying network we are unaware of as of yet.

If only there was some site....

[sconeu]

If only there was some site that listed the stories already on /. Then the editors could look down the page and see this had already been submitted.

https://news.slashdot.org/story/17/07/29/0122249/congress-asks-us-agencies-for-kaspersky-lab-cyber-documents [slashdot.org]

If I was to create a new OS

[future assassin]

I think I'd call it Linux and make it very secure OS wise.

What will they say when they find no wrongdoing?

[ITRambo]

Will the feds come forth and say that Kaspersky AV is clean and isn't spying, should that be the result of the probe? That's not likely in today's anti-Russia atmosphere. If Kaspersky contained nefarious elements, it likely would have been made public by it's competitors. The whole thing smells fishy to me.

How about no anti-virus software?

[Anonymous Coward]

It blows my mind that people think adding more bloat to the system is going to lead to improved security. Generally speaking I can tell you it's not. Reducing the bloat, releasing the source code, and auditing more code is what is going to lead to greater security. Combine that with easing the update process so users are taken out of the equation.

We (as a community) need to be able to properly manage source code and provide updates in a timely and sane way (and most GNU/Linux distributions do that reasonabl

At least the NSA can't influence Kaspersky

[Nehmo]

Since the bigger security threat comes from inside America rather than out, Kaspersky is probably safer than 3rd party American anti-malware. The NSA has easy access to the local companies and can influence them. The NSA can't so easily influence Kaspersky to do its bidding.

Re:

[Littleman_TAMU]

I too, comrade^H^H^H^H^H^H^H fellow American citizen, prefer the FSB to the NSA. They are to be much more trusted than evil NSA. Make Russia^H^H^H^H^H^H America Great Again!

Why would the governement use security software

[sabbede]

from another country? Isn't that something you'd want to be as close to home as possible? It's not like Kaspersky is the only game in town, there are more than enough domestically produced security suites for the US government to be using instead. Any national government should be using domestic vendors whenever possible for the obvious reasons. The US government has no excuse - we aren't Namibia, we have plenty of domestic vendors handy.