Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Government Security United States

Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC (zdnet.com) 139

Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency's hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky's antivirus software. Once these secretive files were identified -- through an avenue carved by the antivirus -- the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place -- was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky's antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA's Equation Group was taken.
This discussion has been archived. No new comments can be posted.

Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC

Comments Filter:
  • by Anonymous Coward

    WSJ, MSM,..... WMD anyone?

    Smear, smear, smear, its the russian!!! Oh wait its the DNC!!!! Squirrel with Tits just ran behind that tree!!!

  • Beleivable (Score:5, Insightful)

    by AmiMoJo ( 196126 ) <mojoNO@SPAMworld3.net> on Wednesday October 25, 2017 @09:10AM (#55429543) Homepage Journal

    Their version of events is much more believable than the others offers so far. Guy takes home the NSA malware, disables Kaspersky to install some warez and then realizes his machine has been p0wned, so does multiple full scans. The NSA malware is picked up during those scans and automatically submitted for analysis (the default behaviour). During this time his machine had an open backdoor.

    What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details. Failure to do so is far worse than simply sharing it with the Russian government, who I'd assume already had copies anyway given how leaky the NSA is.

    • by Anonymous Coward

      Quite. I wouldn't trust Kapersky at this point - not because muh Russia, but because it's clear they're hands off when removing malware from state actors.

      Not that I care if the NSA figures out my porn preferences - the idea that state sponsored malware will remain solely in the hands of states is pretty daft.

      • Re: Beleivable (Score:5, Insightful)

        by Baron_Yam ( 643147 ) on Wednesday October 25, 2017 @09:21AM (#55429635)

        >Not that I care if the NSA figures out my porn preferences

        You should, so long as there are people out there who would punish you for them. There's a seemingly unending supply of sanctimonious people out there who will outright ruin your life if they find something about you personally distasteful.

        Even though you and I are likely so unimportant to the state and they're unlikely to use what they find against you, just on general principles you should want privacy from the government as a general rule whenever it is practical.

        When the three letter agencies have access to everyone's secrets, they're no longer serving the public since they have the power to control those who are supposed to be in power.

        • >Not that I care if the NSA figures out my porn preferences

          You should, so long as there are people out there who would punish you for them. There's a seemingly unending supply of sanctimonious people out there who will outright ruin your life if they find something about you personally distasteful.

          In a twist of irony, those selfsame people will as likely as not have much more interesting porn records than anything a normal person has. Its projection, and we see it time and time again, from Jimmy Swaggert's television set top wanking while a hooker does God knows what, to that creep preacher in Colorado who railed on about them thar homos, but enjoyed screwing his male masseuse, to better than the rest of us Josh Duggar who has some very interesting and illegal preferences. Brings new meaning to famil

        • by Anonymous Coward

          People would be wise to remember how sociopathic the masses can be when lead by psychopaths. Most people are crude, cruel, egotistical and short-sighted when pushed in certain directions by certain demagoges. In such a world, anything will be punishable, to meet quite different goals than what is said.

    • Re:Beleivable (Score:5, Interesting)

      by mangastudent ( 718064 ) on Wednesday October 25, 2017 @09:44AM (#55429795)

      What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details.

      Doing that with Officially Classified materials has legal consequences. For example, I assume employees of Kaspersky want to be able to travel outside of Russia without getting arrested and imprisoned. And to be able to travel to the US for security conferences.

      • Re: (Score:3, Funny)

        by Train0987 ( 1059246 )

        Doing that with Officially Classified materials has legal consequences. .

        Unless you're Hillary Clinton, of course.

        • Re: (Score:3, Informative)

          More generally a member of our Ruling Class. See for example John Deutch [wikipedia.org] per Wikipedia:

          Soon after Deutch's departure from the CIA [as Director] in 1996 it was revealed that classified materials had been kept on several of Deutch's laptop computers designated as unclassified. In January 1997, the CIA began a formal security investigation of the matter. Senior management members at the CIA declined to fully pursue the security breach. More than two years after his departure, the matter was referred to the De

          • by Anonymous Coward

            ...and can't forget Sandy Berger being caught with classified documents down his pants: Unauthorized Removal and destruction of classified material [wikipedia.org]

            • by mangastudent ( 718064 ) on Wednesday October 25, 2017 @11:06AM (#55430295)

              Sandy Berger as a Clinton insider who actually got some real punishments, albeit wrist slaps aside from losing his law license, doesn't do a good job of making my greater point that there's a Ruling Class that's essentially not subject to the Rule of Law we peons in theory live under.

              On the other hand, he's a good example of how this crosses nominal party lines, this particular crime of his was done while Team Bush was at least nominally running the Executive, they should have nailed him to the wall.

              • Re: (Score:3, Interesting)

                Both parties cover for each other in the hope that when out of power they will be protected as a courtesy from the other party. This is the textbook reason why special prosecutors should always be used when there is evidence of criminal activity (as opposed to the Trump Russia investigation, where there is a lot of innuendo, but no actual allegation or evidence of criminal activity, ask a real prosecutor, they will tell you).

                As far as Sandy Berger, the guy was on camera stuffing classified documents into h

                • As far as Sandy Berger, the guy was on camera stuffing classified documents into his pants the day before Clinton left office...

                  Nit, he did that in late 2003, to destroy evidence pertaining to the Clinton Administration's handling of al-Qaeda's plots in 2000, before that was considered by the 9/11 Commission. Which continuing this theme of the parties covering for each other, included Jamie Gorelick, who should have been on the dock instead of in the commission, she had created the formerly notorious "wa

      • by Anonymous Coward

        AFAIK Individuals without security clearance have no legal obligations around classified material.

        • Do you think that would matter for a political prosecution? A concept we know Russians are very aware of.
          • Wait, your thesis is that Russian companies who do lots of business outside of Russia should be scared of the USA based on the way that political prosecutions happen in Russia? So they should just be basically stupid idiots who can't do a business analysis, because they're so damaged by their national civics?

            It doesn't seem like a very good argument. It seems that the businesses who do a lot of business in the rest of the world would be the most aware of how the world works, not the most absurdly fearful.

            An

      • Malware is malware.
      • by AmiMoJo ( 196126 )

        That's why security conferences need to move out of the US.

        • That's why security conferences need to move out of the US.

          Or, why they will continue to prefer having them here. ;)

      • by Meski ( 774546 )

        What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details.

        Doing that with Officially Classified materials has legal consequences. For example, I assume employees of Kaspersky want to be able to travel outside of Russia without getting arrested and imprisoned. And to be able to travel to the US for security conferences.

        Does the NSA know Kaspersky's signature algorithm, and do they check the signatures 'their' code produces in Kaspersky's malware signature list?

    • What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details. Failure to do so is far worse than simply sharing it with the Russian government, who I'd assume already had copies anyway given how leaky the NSA is.

      They said that their software sent them for analysis some files that belonged to the customer, and they deleted the files as soon as they realized that these were customer files.

      If Kaspersky did not delete customer files that their software sends them, then I would definitely say you have to dump them.

      "We found some of the software you were working on when we scanned your machine. Mostly we delete customer files we access by accident, but we thought this one was useful to us, so we kept it so we can reverse

      • "if we accidentally get some of your files, we delete them immediately-- any files of any type, no matter what they are or what they do."

        But if it got malware, how are they supposed to know if YOU wrote the malware (and thus the policy would be to delete it) or if you just downloaded it (and thus their policy should be to catalogue and hash)?

        • "if we accidentally get some of your files, we delete them immediately-- any files of any type, no matter what they are or what they do."

          But if it got malware, how are they supposed to know if YOU wrote the malware (and thus the policy would be to delete it) or if you just downloaded it (and thus their policy should be to catalogue and hash)?

          We are assuming here that Kaspersky is not actually clueless.

          Among other things, the fact that you have source code and several previous versions of the file might serve as a clue.

    • Or this is how the NSA malware was obtained and leaked in the first place. There is already a lot of evidence that Kaspersky is in bed with the FSB, there is no way in the real world that those hacking tools were just deleted before copies were made and sent to the FSB, AKA the Shadow Broker. Those hacking tools represented millions if not billions of dollars of investment and were active and potent cyber weapons. The jackass who took them home would have been executed for treason a few decades ago, and

      • Iâ(TM)m pretty sure nobody got executed for mishandling cyber weapons a few decades ago.

        Oh, and I corrected that annoying spelling error in the subject that everyone else has been ignoring.

        • In the era when literally everything is networked and you can crash a country's economy or power grid with the right cyber weapon, they are the WMD of the modern era, and we did execute the Rosenbergs for stealing US nuclear bomb technology for the Russians.

    • by mysidia ( 191772 )

      Guy takes home the NSA malware, disables Kaspersky to install some warez and then realizes his machine has been p0wned, so does multiple full scans. The NSA malware is picked up during those scans and automatically submitted for analysis (the default behaviour).

      In other words, the Antimalware software did exactly what it should do and is disclosed to its users of doing ---- SAMPLING SUSPICIOUS RUNNING PROGRAM FILES

      There's nothing shady about that..... Indeed failing to develop signatures for NSA malwa

    • What I don't understand is how did they know that the source code was from a government's classified project and therefore should be deleted? The way that i see it is that if they happen to get their hands on malware source code then why wouldn't they assume that it is illegal and process the heck out of it? So if I was a bad buy and wanted to protect from my source code from analysis then I should mark it "Top Secret" and "Classified" and post it my github account and no one will mess with it?
      • by AmiMoJo ( 196126 )

        They have seen a lot of NSA malware before, and been monitoring them for years. They regularly inform US authorities when infections are found in the US, because the NSA isn't supposed to do domestic spying.

    • Their version of events is much more believable than the others offers so far. ...

      What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details.

      You sound like have some bias of some sort interfering with your analysis, as your conclusion contradicts the details.

      It seems that parts of their story are more believable simply by being more specific, but it also includes some very not-believable but important details. To me they look less trustworthy from their story; they want me to believe they're incompetent, not malicious, and I'm just not convinced that I should believe them, or that the specific incompetence involved is even different than being m

  • by Anonymous Coward on Wednesday October 25, 2017 @09:13AM (#55429569)

    No surprise here,
    Source: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/?comments=1

    Direct quote:
    The NSA worker's computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.

    • KSN and all similar technologies, including the Microsoft malware submission tool, should be made illegal.

      Rationale:

      * All software is protected by copyright.
      * Only the copyright holder has the legal authority to authorized copying the software.
      * Transferring malware from the infected user to researchers therefore violates the rights of the copyright holder.

      To what extent the above is sarcasm is left as an exercise for the reader.

      • by Anonymous Coward

        The sarcasm begins in part 2 of the rationale, with "Only the copyright holder has the legal authority to authorized copying the software." The copying would almost certainloy be found, by any court, to be defensible as Fair Use.

        The purpose of the copying is to analyze the malware, not to use/enjoy the malware in the usual manner.

        The nature of the copyrighted work is functional, not artistic. And it's already published and shared with whomever the NSA has chosen to investigate.

        The effect of the copying on t

    • Alternatively, the FSB has an agent in the NSA, and they figured out a way to steal cyber weapons without getting caught (or so they thought). He illegally, under penalty of jail time or worse, brings home a trove of cyber weapons. He then turns on his home Kaspersky AV and infects himself and begins making AV scans, uploading all of the cyber weapons to Kaspersky in Russia, where his FSB counterpart makes copies to later leak as the Shadow Broker costing the US billions and destroying a decades worth of

    • No surprise here.

      No, not at all.

      Many AV are set up that way, it was just bad luck for kaspersky, it was being run.

      I use Comodo firewall, it's deliberately hard to configure for the on-line support. I've used it for so long I've got it down and have disabled sending suspicious files it's way.

  • by Anonymous Coward

    Some bullshit about the product working only as intended. Hackers have been practicing obfuscated, "looks good but has a malicious side-channel" code since forever, [underhanded-c.org] and you'd be an utter dimwit (or vatnik!) to think that Mr. Kaspersky himself of the KGB's technical school doesn't know how to put these ideas into practice both programmatically AND socially.

    But guess what? Even if Kaspersky has the most honest intentions in the world, which they don't, that still doesn't prevent SORM from capturing everyt

  • Data trail (Score:4, Insightful)

    by YrWrstNtmr ( 564987 ) on Wednesday October 25, 2017 @09:20AM (#55429625)
    NSA->employee->Home system->Kaspersky AV->Kaspersky Lab servers --------> Russian Govt?

    If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?

    Oh, and the NSA dude needs some jail time as well.
    • Re: Data trail (Score:5, Insightful)

      by guruevi ( 827432 ) <eviNO@SPAMevcircuits.com> on Wednesday October 25, 2017 @09:29AM (#55429689) Homepage

      Nobody has ever said the Russians had the malware. Russian government involvement is a red herring spun to distract you from the Russia-Clinton-Obama inconvenience.

    • Because it would be the interrest of the FSB to get the new malware and signature for two reasons (and I would not be surprised the NSA do the same ) 1) be made aware of new zero day exploit and find counter for the russian's firm/gov security 2) get new exploitable weapons they themselves did not come up with , why otusource when some civilian can build something
    • by ljw1004 ( 764174 )

      NSA->employee->Home system->Kaspersky AV->Kaspersky Lab servers --------> Russian Govt?
      If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?

      Your "missing link" was already reported two weeks ago: https://politics.slashdot.org/... [slashdot.org]

      Israeli Spies 'Watched Russian Agents Breach Kaspersky Software'
      Israeli spies looked on as Russian hackers breached Kaspersky cyber-security software two years ago, according to reports. The Russians were allegedly attempting to gather data on US intelligence programs, according to the New York Times and Washington Post. Israeli agents made the discovery after breaching the software themselves. Kaspersky has said it was neither involved in nor aware of the situation and denies collusion with authorities.

    • by Distan ( 122159 )

      If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?

      We don't know that the data ended up with the government.

      Here is what is claimed:

      Reports published in the United States are that Israeli government hackers broke into Kaspersky and saw the NSA data. While the Israelis were there they witnessed Russian government hackers also break into Kaspersky and access the NSA data. Kaspersky claims the only people who hacked them were the Israelis and they were never hacked by the Russians.

      So if the Israelis are wrong the Russian government doesn't have the data. If

      • There is "hacking" and then there is tacit approval:

        Potential Kaspersky employee: "Hey, I will be leaving this backdoor open at 1am, here are the passwords you need and here is the location of the files you are looking for, please don't hurt my family"

        While technically hacking (unauthorized access) it may not have left any traces if it was an inside job, but either way, the FSB got in to Kaspersky's files and lifted all the NSA cyber weapons.

        I trust the Israelis (an actual democracy with similar values to A

    • If you aren't working for equifax, how is it that they have your data (or had, more to the point)? Your inference is highly flawed.
    • Exactly so.

  • Why not disclose it? (Score:5, Interesting)

    by Deathlizard ( 115856 ) on Wednesday October 25, 2017 @09:20AM (#55429627) Homepage Journal

    So it looks like what happened is what I suspected, that Kaspersky's Heuristic analysis found the file and submitted it for analysis. Which is fine since that's what it's supposed to do.

    The real question is why wouldn't Kaspersky submit it to other AV Firms or even Microsoft for analysis instead of just deleting it? From what it sounds like they had full source code on a virus. I would think that would be the equivalent of striking gold in the AV community regardless of the virus's source, Unless Kaspersky was afraid that the US would Pressure the heck out of them if they disclosed, which is not much different from what's happening now.

    • Exactly. If anything they HELPED the NSA by deleting a zero-day instead of analysing it and distributing the code to the common AV database. If anything it shows as the hard evidence shows Kaspersky benchmarks really well with heuristic AV scans. Doubt Trumpland will apologise for this. It [kaspersky] is now a political pinyata. Don't let facts get in the way of that ;-)
    • So it looks like what happened is what I suspected, that Kaspersky's Heuristic analysis found the file and submitted it for analysis. Which is fine since that's what it's supposed to do.

      Really? It is supposed to upload all the source code of whatever the user is working on to the KAV mothership? Sounds like corporate espionage to me:

      KAV: Oh no, we didn't intentionally download the source code to Microsoft's new super-secret application. The user was just running KAV and it happened to flag on a malware signature (wink wink).

    • by decep ( 137319 )

      Have you ever purchased something from a store, only later to find that another item had been hidden inside, and tried to return that item to the store? I have.

      I purchased a household item like a comforter that had curtains stuffed inside. Nothing particularly high value. I returned the items I had not purchased to the store. When returning the items, while it was not overt, the store basically suspected me of theft and I was not exactly rewarded for "doing the right thing". Never again.

      Can you imagine

    • by AHuxley ( 892839 )
      A cyber thought experiment?
      How to create phone home software that just works but will not get detected/reported/studied by an advanced OS or AV?
      The mission is for a US persistent, generational file tracking effort that works, phones home and stays with documents.
      How to avoid that user alert but not have to worry about upgraded AV/OS detection/discovery globally?

      Some social engineering?

      Networking that looks just like all the other ongoing past/existing national/international contractor grade "poli
  • by cloud.pt ( 3412475 ) on Wednesday October 25, 2017 @09:29AM (#55429687)

    So basically, commercial software, namely an antivirus, proceeded as intended (detected malicious/suspicious code). Nothing new.

    Then the Russian gov., just like the US or the UK govs. pulled that software/information based on the principle of screwing anyone's privacy (especially foreigners) over national security concerns (which when you look at it from an impartial point of view, like me (someone who literally stands between both countries in western Europe), it's a contextually solid argument, even though I am completely opposed to this relegation of privacy to second place. This is also not new, and the US knows this happens frequently. They know it because they also do it. How many Sillicon Valley corps. are sueing the US gov. to prevent just that? (Well, Microsoft just dropped it because, well, the government had a bad case and decided to pull back).

    At least they're not loading Linksys hardware with trojans for deployment to China and Russia's top tier installations.

    Seems like a very plausible explanation from Kaspersky, clearly not at fault, and will be a clear case of hypocrisy by whichever government decides to slander private business of the company. Not only is the government at fault (that was bad BAD behavior from the employee, unless he was whistleblowing something, like Snowden), but they also do this.

    Demand local servers, just like Brasil did to Facebook, if you are worried about your info being offshored to jurisidictions you can't control the full chain of behavior.

  • It took the NSA 3 years to notice or 3 years to let everyone else know...
  • by FeelGood314 ( 2516288 ) on Wednesday October 25, 2017 @09:40AM (#55429777)

    After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

    To be fair, this puts them in a bind. They acquired NSA malware source code but they got it because their product uploaded it to them. If they keep it and use it they are breaching the trust of their client. I trust and give Kaspersky permission to scan for viruses and pull their executables. I don't give them permission to look through various source code on my computer. This isn't about saving or shielding the NSA, it's about the integrity of their contract with their users. Screw the NSA but Kaspersky showed more integrity here than the NSA has ever shown in its entire existence.

    • by Anonymous Coward

      Actually, if you enable the reporting product you very much gave them permission to upload anything their software hits on as a target and give them permission to take it the hell apart so they learn how to stop it. Which is why you should read teh EULAs. And if you are doing work for your employer or the government, you do so on a machine they supply to you with the software they supply, so it is their lookout as to whether they should enable reporting features on the antivirus product they give to you.

  • I mean are you REALLY naive enough to believe that Windows is
    1) an even slightly secure OS
    2) Microsoft (and therefore the NSA) really don't/aren't using their own backdoors built right into Windows (and maybe Intel's IME) to conduct ongoing scans, analysis and upload of anything/everything of "interest" that you ever have on your PC ?

    The problem is clearly the NSA employee who took the code home and put it on his Windows PC in the first place. He of all people should have known WAAAY better.

    • Adding AV to Microsoft is about as bad as adding an anonymous FTP server to your desktop. Passwords are only going to keep your friends honest.

      NSA guy should have know. What on earth was he thinking to allow his data to be uploaded to Russia. He's going ot have a court date coming up.

  • by ripvlan ( 2609033 ) on Wednesday October 25, 2017 @09:54AM (#55429861)

    I'm willing to bet that Kaspersky had an employee who was also an unknown intelligence spy on the payroll.

    The intelligence agency figured out the US Govt was using software - submitted resume for spy to open job - and spy reported to work as instructed. Aren't we worried that the NSA is asking Google/Apple/ISP (cough AT&T) to open the door a crack?

    Isn't this the fear of many in security? - that an unknown group could change the C compiler source code to ignore or replace certain instructions. Then modify the encryption software with a backdoor that matches the pattern the compiler is looking for - and thus inject a backdoor? Said backdoor is not visible/obvious in the encryption software.

    And the method to do this is have spies report to work at legitimate businesses. with external orchestration of their activities.

    Also possible that said spy figured out the zero-day which was put to use from another group outside. OR coded said backdoor or side-channel vector.

  • by ErichTheRed ( 39327 ) on Wednesday October 25, 2017 @12:23PM (#55430799)

    Here's another thought about why it happened -- is it possible that NSA treats some of their more brilliant analysts the same way companies treat executives? Everywhere I've worked, security policies apply to absolutely everyone except the C-level and senior VP ranks. Execs just tell IT to plug whatever new shiny thing they got at a conference or Best Buy into the network, override password policy so they don't have to log in to their machines, and a whole bunch of other things that would get ordinary workers fired. Maybe if you're a super-brilliant borderline autistic cybersecurity genius, the NSA decides it's not worth it to try to enforce policy?

    I'm sure a lot of the safeguards around classified information are the equivalent of "security theatre" but I'm kind of surprised NSA would let their analysts casually walk out the door with unreleased exploit code and bring it home with them. People I know who work for defense contractors on much more mundane stuff can't even mount USB drives on their computers read-only, let alone copy files, but it seems like they just let things like this happen once you get a certain level of access beyond the perimeter. Some of the things I've heard described are totally security theatre, like covering whiteboards when the janitor comes through or insisting that every piece of garbage be burned _and_ shredded...but at least they have the common sense to prohibit employees from taking confidential data home and employees I've spoken with are well-trained to not talk about exactly what they're working on. I have a feeling we'd never know about this if it hadn't gotten to a machine without Internet access.

    Almost all companies work like this too -- once you're inside everything is trusted and can talk to everything else. That's absolutely the wrong thing to do, but rebuilding the network and walling things off to an "assumed-compromised" posture is super expensive and hard to implement. Lots of companies don't even have internal PKI right yet so port-level authentication on network gear isn't even possible. And the app landscape is so vast and much of it is so old that totally locking down some things would take tons of research and effort...all of which the company won't pay for. You would think NSA would be all over that though, given what they work on.

"I've seen it. It's rubbish." -- Marvin the Paranoid Android

Working...