Kaspersky Lab Sues Over Second Federal Ban (axios.com) 97
Cybersecurity firm Kaspersky Lab has filed a lawsuit targeting the second of two federal bans on its wares. The latest suit goes after language in a defense law explicitly blocking the purchase of Kaspersky products. An earlier suit targets a Homeland Security directive doing the same. From a report: The bigger picture: With the White House reluctant to institute additional sanctions on Russia, White House Cyber Czar Rob Joyce pointed to Kaspersky as an example of the Trump administration taking Russia seriously. While Kaspersky isn't alleged to be involved in the election hacks of 2016, it's hard not to see the actions against the firm in the context of deteriorated relations with Moscow, as part of a growing spat between the two countries.
Re: (Score:2)
I am not a Trump supporter. However this is common across nearly all countries even the US previously.
Being a russian company. (Score:2)
We will need more proof then just "Trust Us" we are trying to protect you. In the mist of a lot of findings of Hacking from the Russian government, melding with the elections, often with electronic means. With being a part of the government that like to keep companies on a tight leash.
Kaspersky may actually being doing good things without opening the door to the Russian government, and may actually be better protected with their products from Russian hacking. However we will need solid proof on this, othe
Re: (Score:2)
What I wonder is why the selective treatment of one single company. If you think Russia is spying on you, block everything coming from there. It's not like Kaspersky is the only Russian security company (far from it) or the only Russian IT company (even further) or even that there isn't a LOT of OSS coming from that general area.
Take a look down Github. Sometimes it feels like every other library for compression or security has a Russian name next to it.
What's so special about Kaspersky?
Re: (Score:2)
Ok, please name the other Russian security companies whose products phone-home even if for legitimate purposes. Especially ones with as much market penetration as Kaspersky.
Kaspersky the man might well not intend to cooperate with nefarious interests of his government, but Kaspersky the man might not be able to stop said government from covertly penetrating Kaspersky the company either through actual hacking techniques or through social-engineering of company employees.
Re: (Score:2)
Funny enough you're even right, most of the Russian internet companies mostly serve Russia. It's actually pretty interesting how there is nearly for every US company a Russian counterpart. Google - Yandex. GMX - mail.ru. Kickstarter - Planeta. Bet you never heard about them.
Which is a shame, they're quite useful. But I don't see anyone banning the use of mail.ru or Yandex, which would actually make more sense than banning K if you ask me...
Re: (Score:2)
Re: (Score:2)
It's worse than admin access, it's low-level kernel access that sits underneath file systems and other services. Basically, AV is a rootkit, so if you install Kaspersky, it's very likely you are handing not just admin keys to the Russians, but pretty much core system functionality. Everything is naked before AV software, since that is AV software's fundamental purpose.
Re: (Score:2)
Well, it is pretty much a requirement if you want your AV kit to be able to do its job. You do hand your security the key to the building, too, so they can go check whether there is a burglar inside, don't you?
Re: (Score:1)
AV programs have even deeper level access to a system than the "Administrator" account.
All AV programs have automatic updates.
Anyone who can sign updates for your AV program can push arbitrary code to a computer and it will be trusted with that better-than-admin access to your system.
Kaspersky has known ties to Russian state security services. You do the math.
Not that that matters. There are no property rights in Russia's illiberal government. If someone at Kaspersky does not play ball the owners wi
Re: (Score:2)
I agree. Even if Kaspersky's software isn't tainted in some way, the fact is that it could be co-opted. I find most AV software fairly troublesome, but using Kaspersky on any of my systems just seems like inviting an unpleasant outcome. And I certainly understand why the US government wants nothing to do with it at all.
Re: (Score:2)
Re: (Score:2)
We will need...
Posted with Andriod, hence the speeling otters.
Re: (Score:1)
I can dig up more "proof" of US based companies colluding with the US government than any "proof" Kaspersky has colluded with the .ru government. For example; Google Chrome no longer trusts Symantec SSL/TLS certs. RSA getting caught red-handed sneaking in rigged PRNGs and "extended random" features into crypto products for millions of dollars. The infamous "NSA_KEY" in the Windows source code.
No. The burden of proof is on the US, not Kaspersky. But keep using our countries tools, that sounds like a well inf
Rights (Score:3)
Re: (Score:2)
They don't... I think, but with the US government being outspoken about the matter, it has leaked into other organizations and companies specifically choosing to avoid their software.
They are, to the best of my knowledge, not trying to sue them for boycotting their software (which they should be allowed to do anyways), they are actually suing them for defamation.
And willful defamation is actually against the law.
And it's worth noting that while the government might be immune to civil prosecution, the
Re: (Score:2)
I've worked with some companies associated with the power generation industry and already heard one story about 100% of hard drives being swapped out to eliminate Kaspersky in one organization.
Re: Rights (Score:2)
Meanwhile, their network is still wide open. I know because I have been to many and have worked on machine installs. That is the big joke. Ban Kaspersky, but everything is still unsecure. Hell, Kaspersky was probably making things more secure considering what it is now.
Our security has dropped to Chinese levels in many industries. I used to laugh when I was younger how I could access Chinese machines and mess with them, now Iâ(TM)m saddened at how many machines I can access in across the US.
Re: (Score:2)
I didn't say it was an improvement per se, but the word supposedly has been coming from DHS to rip out Kaspersky.
Re: (Score:2)
Until Trump gets congress to monkey with the law, truth (and even belief of what the truth is) is a defense against libel and slander.
So good luck with that.
Re: (Score:2)
Re: (Score:2)
The problem with leaning on "belief" is that you would have to prove what your belief actually is, you can't just assert anything and insist on it. The other side will have experts that dig into the details of it and try to prove, based on your other words or actions, that you probably believed something else. And they'll do that by talking not about you, but about what a mythical Reasonable Person would believe.
If this was two companies, that might matter. But it doesn't matter if this company had some mea
Re: (Score:3)
I'm shocked that this government action gets any negative airtime on Slashdot.. After all, folks come out of the woodwork here to support the right of the states to enforce Net Neutrality rules on ISP's doing business with them. How's this all that different? It's a head scratcher for sure..
Personally, I've always maintained the "government", be it state, local or federal, has the right to buy or not buy what they deem fit for purpose and impose any rules they like on the sellers who stand in line to coll
Re: (Score:1)
Re: (Score:2)
The US government as a company belongs to you. Well, not totally, but at least you're kinda like a shareholder. And as such, you're entitled to them using the funds you provide them with well. Them simply declaring that they will only buy from this provider or never buy from that provider requires oversight, or it becomes a cesspool of bribery and corruption.
There has to be oversight because, well, would you, as a shareholder, want your CEO to buy his supplies from a company that just happens to be owned by
Re: (Score:3, Informative)
Nope, there is no law here.. There is an executive order that says that government purchasers may not approve P.O.s that include this product and any bids that include this product will not be considered. So we are good...
Re: (Score:3)
I take it, then, that you never bothered to pay attention in your civics class. If you had, you would have known about private bills [wikipedia.org]. Granted, they're rarely used now, but they're perfectly legal under the US Constitution.
Re: (Score:2)
The last sentence in your link shows some limitations in private bills,
So passing a private law to punish Kaspersky is unconstitutional.
Re: (Score:2)
Re: (Score:2)
In their defense, they do have a right to a hearing.
One hearing. At which their lawsuit gets tossed. :)
Re: (Score:2)
**Busts out laughing at the absurdity of believing they will ever do this. **
Discovery is going to be a bitch for 'em (Score:1)
To win this, Kaspersky Labs is going to submit to discovery, which means the government will get to pour through their books, emails, and everything else.
It's likely Kaspersky will fold once that starts if they have any underhanded ties to the Russian government.
Re: (Score:1)
What about discovery on the other side? Shouldn't the government have to show their proof that Kaspersky software is compromised? So far the government has accused Kaspersky of a lot of things, but has never once shown even a shred of proof. Isn't it just as likely that the government should fold during the discovery?
Re: (Score:2)
Not really.
All the government need argue is that they *could* be compromised by their corporate owners at any time and that this represents an undue risk to computer system security. Given that's a logical possibility argument, the burden of proof rests on Kaspersky to prove their product cannot be so modified.
Given the code base is controlled by Russian interests, I think Kaspersky has a hard uphill climb on this one.
Re: (Score:2)
The government hasn't said that it "Could" be compromised, they've stated repeatedly that it IS compromised. That's a very different thing.
Kaspersky isn't suing them because they aren't buying the software, there'd be no grounds for that. They're suing because the government is making claims about the software that Kaspersky says are false. The burden of proof in such cases always rests on the party making the claim, and that's the US government.
Re: (Score:2)
I beg to differ.. News reporting clearly indicates that more than just the US Government is reporting that this product has been used in the past for nefarious purposes... This action by the US Government then is perfectly understandable.
https://www.thetimes.co.uk/article/antivirus-firm-kaspersky-lab-ruled-by-russian-spies-2ghtw38ql
Re: (Score:2)
Your article (which is paywalled so impossible to read) doesn't do anything to change the facts. The first few lines (which aren't paywalled) imply that the British government's security service did not feel that Kaspersky was enough of a risk to advise Brittons against using it, and states that an anonymous source said that Kaspersky wasn't trustworthy.
So far the US government has never put forward even a single piece of evidence to the contrary, and the part of your article that I could read did not eithe
Re: (Score:2)
So you agree that the US government isn't the only one saying Kaspersky is risky to use, independently others have made the same claims, yet Kaspersky hasn't taken legal action on those other claims. The US government hasn't moved to prevent Kaspersky from doing commercial business within the USA or even advised citizens to not use their products as other countries have. So, What's this lawsuit about at this point?
Re: (Score:2)
I agree that a single anonymous source that was quoted by a journalist stated Kaspersky was a threat. That doesn't make them so.
As for taking those others to court? why bother? If your legal team wastes their time with every single person that says something bad about you you'll go broke litigating them all. It's better to stick to the ones that you can prove actually harm your business. And this one with the US government makes that easy.
If the US government really believes Kaspersky to be a threat, fine,
Re: (Score:2)
BUT Kaspersky is NOT suing for liable, so this whole line of reasoning you are engaged in is moot, legally speaking.
Re: (Score:3)
National security trumps all of this. The US Government doesn't have to show its hand, it just has to say "we believe Kaspersky can be used by a foreign actor to compromise government systems", and pretty much that is that.
Re: (Score:1)
Only in an authoritarian dictatorship... oh wait...
Re: (Score:2)
How is a national government banning AV software from its computers due to fears that it may be compromised authoritarian?
Re: (Score:2)
"national security trumps all of this" is the part that only applies in authoritarian dictatorships.
In free societies "national security" doesn't trump facts and reason.
Re: (Score:2)
In free societies, governments are still free to tell citizens of potential security risks and to choose what AV software they'll install. This has nothing to do with freedom, and everything to do with prudence.
Re: (Score:2)
They are free to tell citizens of security risks, but so far they refuse to do so.
Seems far more likely that the only "security risk" is Kaspersky's refusal to implement NSA back doors.
In free societies governments don't hide their motives, if they find something like this, they do the prudent thing and show their evidence. The fact they refuse to do so implies that it would make them look worse than it would make Kaspersky look. Why do you think that is?
Re: (Score:1)
I bet if another country took similar action against a US company, that the US would retaliate with sanctions, and it could easily escalate to a full trade war. The US seems to think that everything they do must be virtuous, while everything a company from Russia does must be evil.
How about instead we look at actual evidence? or is that just too hard a concept for the "land of the free, home of the brave"?
Re: (Score:2)
Betting is one thing, knowing and thinking totally different...
Do you think we bust out the sanctions trying to get China and the Russians to use our stuff in their government controlled hardware and software?
I don't think so. Maybe you've heard of something?
Re: (Score:2)
The Chinese and Russians aren't telling everyone there are security problems with US software. The US on the other hand is doing exactly that.
There's a big difference between not buying something, and telling everyone else that the product is compromised and that they shouldn't buy it either.
Kaspersky is not suing for the former, they're suing for the latter.
If the US government has proof, this should be no problem, but this is Kaspersky saying "put up, or shut up!". Of course actual truth and evidence aren
Re: (Score:2)
The government isn't preventing you from buying as many copies of Kaspersky software as you like. They are free to hawk their wares in the USA all they like. The only thing the government has said is that the GOVERNMENT won't buy any more copies. Now both the Executive branch and Congress have the same policy... But they are not keeping Kaspersky from doing business here, only saying the government won't buy their stuff anymore.
How's that require proof of anything? They are not telling you that YOU can
Re: (Score:2)
If they just said "We aren't buying it" that would be fine,
But they are saying "Kaspersky software is a security threat" that's a provable claim, that they should have proof before saying.
I can decide not to buy from you, that's fine, but if I tell everyone that you're doing something specific that's unethical, I better have proof to back it up, otherwise it's slander or libel.
Re: (Score:2)
Then they need to sue for liable or slander, not for some cooked up constitutional charge. If Kaspersky was suing the government for lying about their product what you say might make sense, but as it stands, your legal theory isn't what Kaspersky is using.
Re: (Score:2)
Funny, the government isn't recommending against EVERY OTHER piece of anti-virus software out there.
Re: (Score:2)
They're saying it because it is. There are troubling links between the company and the kremlin, it's written by a company in Russia, and as part of its functionality it gains low-level access to any system on which it is installed, so yes, it's reasonable to assume that it has been compromised. And the NSA and the other three letter agencies don't have to show up in court with public evidence, they can basically show up, tell the judge "this cannot be disclosed in open court because it involves national sec
Re: (Score:2)
So in other words, as in all authoritarian regimes, secrecy trumps truth.
Glad I don't live in the USA!
It's far more likely that the reason they refuse to disclose the supposed vulnerability is that the only vulnerability is the refusal to implement the NSA's requested back doors.
The rest of the world is watching all this with interest, and so far, the evidence points to Kaspersky being among the most trustworthy products on the market. So far they're the only ones who seem to have told the US government to
Re: (Score:2)
Oh fuck off. You're still free to buy Kaspersky if you want, though I personally would think you were an idiot for doing so. I wouldn't let any Russian AV software within a mile of my computers.
Re: (Score:2)
I'd far rather let secure russian AV software on my computer than any software with a US connection. At least I know it isn't tainted by the NSA.
The world is waking up, US IT products are no longer a first choice, but now a last resort, not to be trusted. It's well known that the American government has no concept of rights or privacy, and that all US vendors are compromised by default. Precautions must be taken if using US products.
Re: (Score:2)
This isn't about the right to force the US government to buy their products, this is about the US government slandering them at every chance they get.
This is Kaspersky saying "put up, or shut up". The US government can choose their suppliers, but under US law neither they, nor anyone else, can make false injurious statements about others.
My advice to you? Get over it and quit whining.
Of course the rule of law, truth, and facts, have never meant all that much in the USA.
This is going to send a strong message (Score:3, Insightful)
If you don't let us get a backdoor into your products, you won't work in this country again.
Re: (Score:2)
But Windows 10 is ok? (Score:2)
Re: (Score:3)
The ones that a named DHS unit head [businessinsider.com] says occurred. It's amazing how forgetful you trolls can be.
Re: (Score:1)
The ones that a named DHS unit head [businessinsider.com] says occurred. It's amazing how forgetful you trolls can be.
I'm not a troll, you are. Did you even read what you posted. Here, I'll make it easy:
"A top official at the Department of Homeland Security told NBC News that Russia "successfully penetrated" a small number of state election networks during the 2016 US election."
Successfully penetrating a state election network and hacking an election aren't related. There's no evidence - and not even the allegation - that they changed anything.
Sorry, Hillary lost because she was a terrible candidate who didn't bother to
Re: (Score:2)
I'm not a troll, you are, first and foremost.
Traditionally one uses a question mark for a question, and yes, I did.
Yes they are. For instance, both your descriptions use "election."
"She did not say whether the Russian government altered any state voting registration databases or com
Re: (Score:2)
I don't have to have access to classified information (and wouldn't tell you if I did - think about that). Were there any evidence that Russians actually changed election results it would be on the news 24/7. It's the same way that I know the TSA has never actually caught a real terrorist.
Re: (Score:2)
Oh, I've thought about it. Not impressed.
But it it was classified then they wouldn't have access to it or even know that it exists. Think about that.
Nevermind that the "election hacks of 2016" are not limited to Russians directly accessing and changing votes in an outcome altering manner, and have bee
Constitutionality of a Bill Targeting a Co (Score:3, Interesting)
Completely aside from the political stuff of whether Kapersky is giving things to the FSB and is therefore an elevated risk - I wonder aloud about the constitutionality of a law targeting specific companies.
Re: (Score:2)
It's not a law or even a regulation... It's an Executive Branch policy based on security recommendations that they won't allow any government agency buy this product any more.
And it MUST be banned (Score:4, Interesting)
It is not acceptable for a sovereign government that any company, especially a foreign one, has the ability to render the whole country's computer infrastructure to a halt with the flick of a switch on their automatic update servers.
The system is already broken. Using closed source software puts any country sovereignty at stake. Your software providers' "red buttons" are bigger and faster than Trump's.
Re: (Score:2)
Re: (Score:2)
Banning Kaspersky was just a distraction (Score:1)
Cyber Czar? (Score:2)
Should we really be using the title "czar" for someone who's supposed to be addressing potential hacking by _Russia_? I realize that term is commonly used as an informal title for these kind of positions (though I never really understood how that got started). But it seems to be particularly absurd here.