US Government Can't Get Controversial Kaspersky Lab Software Off Its Networks

The law says American agencies must eliminate the use of Kaspersky Lab software by October. But U.S. officials say that's impossible as the security suite is embedded too deep in our infrastructure, The Daily Beast reported Wednesday. From a report: Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware -- and nobody is certain how to get rid of it. "It's messy, and it's going to take way longer than a year," said one U.S. official. "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of "any hardware, software, or services developed or provided, in whole or in part," by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed "Kaspersky-branded" products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky's presence in federal networks in the wake of Russia's 2016 election interference campaign.

Re:

[Anonymous Coward]

Al is looking into it. (He prefers Alphonse, BTW) He said the Kapersky shit is like Norton and is a bitch to get off of the machines.

It'd be best to just trash the machines and start with all new ones.

Alphonse knows a guy who knows a guy who can get really cheap machines. His name is Wong Wei Wang. His company is based in Beijing and is called (English translation) Friendly Not Government Controlled Computer Company. The Trump administration has already OKay'd it. Eric is such a great guy according to

Re:

[CaptainDork]

... on a quantum computer.

Re:

[JustAnotherOldGuy]

... on a quantum computer.

A 3D-printed quantum computer.

Re:

[Harvey Manfrenjenson]

With the rapid advancements in AI, it doesn't seem that this problem should be too hard to resolve.

Wasn't that the plot of Terminator 3?

Re:

[gweihir]

What "rapid advancement"? No such thing is happening. It is still the same dumb automation that was available 30 years ago, just a lot faster and cheaper. It is not suitable to solve the malware problem as that is not a question of speed.

Re:

[yuriklastalov]

Let's rephrase:

With the rapid advancements in AI jargon and AI-related rhetoric by Silicon Valley startups in pursuit lucrative venture capital and it doesn't seem that this problem should be too hard to resolve.

Prior art

[Ol Olsoc]

We must read the story of Helen of Troy, and the Trojan horse. Most bolshy applicable.

Re:Prior art

[khandom08]

It's Trojan horses all the way down....

Re:

[Ol Olsoc]

Yeah, but the NSA hat priort art on "fucking up the enemys network", how dare someone infringe on that...

It depends on which side you are fighting for Ivan. My enemies are my targets, and I am happy to destroy them. But alllowing my enemy's software on my computers? Nyet!

I knew that Kaspersky was a Kremlin tool long before the US Guvmint idiots ever thought about it. Whch is why i vet what is on my computer and networks.

Re:

[Ol Olsoc]

Helen was from Sparta.

Either Helen of troy, Helen of Sparta, or Helen is appropriate. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[KiloByte]

But the question is, who is a Russian? I propose defining that anyone with more than one grandparent of Russian blood is to be considered a Russian. For personnel for high-security duties, no ancestors since 1750 may be Russian.

All Russians are white, too. You'd better avoid the Chinese as well, as both of these countries are economically hostile against the US. Thus, no whites or asians may be allowed for any trusted jobs. Also, as neither Russia nor China recognizes genders which don't exist in natur

Re:

[Anonymous Coward]

Fuck it then, just ban ALL people from contributing to proprietary software like Windows. Demand open source hardware and software.

Oh but we needs Windows for games!

No, you don't. What you're a slave of is DirectX.

Re:

[Aighearach]

Same as other racists, your problem is that you asked "who" instead of "what."

Instead of trying to classify the people, instead the useful question is: What is Russia? And what therefore amounts to Russian control of a non-Russian network resource?

It may turn out to be an issue between nation-states, not an issue between individuals at all. And it may actually be very easy to tell US Government property from Russian Government property!

Re:

[KiloByte]

Same as other racists, your problem is that you asked "who" instead of "what."

Excuse me, please tell me how could I write my post in a tone even more mocking?

Re:

[Nivag064]

You were mocking???

Disclaimer:
Englishmen never tell the truth! I should know, as I am an Englishman.

Re: Ban All Russians From Contributing to Windows

[bestweasel]

It was definitely of interest during the (first) Cold War if you had relatives or ancestors the other side of the Iron Curtain and you applied for a government or other potentially sensitive job. A relative of mine lost his job as a pilot because his brother was living in the West.

Family members are still used by ruthless regimes to put pressure on those otherwise out of reach so despite your exaggeration, it's a valid concern.

Karma is a bitch, eh?

[Anonymous Coward]

~20 years of NSA infiltrating network components, who would have expect the other side to do the same...

U.S. government: Years of insufficient management.

[Futurepower(R)]

From the summary: "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

I hope the U.S. will eventually have a healthy government.

The parent comment: "~20 years of NSA infiltrating network components, who would have expected the other side to do the same...?" (Slightly edited.)

"National Security is the chief cause of national insecurity." - Celine's First Law [wikipedia.org].

Life in the U.S. is rapidly degrading. [slashdot.org]

ALLEGED interference campaign

[Anonymous Coward]

There still has not been any proof or even shady evidence offered that Russia changed a single ballot or tampered with a single voting machine, or had agents at a single polling place to interfere with the election process..

Exercising the right of free speech in order to influence the way people think is called "politics," not "interfering with an election."

Foreign interests have "interfered" with our elections since the birth of the nation. It's nothing new. Get over yourselves.

Re:

[Anonymous Coward]

exactly... and if everyone is so sensitive to influence.. why is the DNC not being investigated for paying $700k to Christopher Steele for that "fake" dossier based off intel given by another Mi6 asset, who just happened to work for the Clinton foundation

https://disobedientmedia.com/2018/04/all-russiagate-roads-lead-to-london-as-evidence-emerges-of-joseph-mifsuds-links-to-uk-intelligence/

i could fix it in an hour

[FudRucker]

wipe the drives of EVERYTHING!!!

install Linux, problem solved, tell all the users they need to brush up on their computer skills and quit surfing porn for 6 months, that should give them time to learn their way around the basics of using Linux for a desktop workstation operating system, libreoffice or openoffice whatever the user chooses,

Re:

[Woldscum]

Yep. Ask Sony music CDs.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Bert64]

Even if there's a firmware backdoor, it depends on how it interacts with the running OS...
If it's totally independent then it can still do its thing, but then it's somewhat limited in what exactly it can do. If it's aware of the OS then it can be far more effective, but is also likely to break if the OS is significantly changed.

Re:

[Actually, I do RTFA]

, libreoffice or openoffice whatever the user chooses,

Step 1 in using Linux in an environment beyond your personal use: Make all those decisions for the users.

Step 2: Recognize that making 22 million people take even a 1 hour class (let alone "6 month") is a cost of more than half a billion dollars. Therefore, anything you can do to make it easier to learn is worth doing.

Re:

[sarren1901]

Are trying to some how say those same 22 million people aren't wasting at least an hour or more a week on unofficial breaks and chat sessions? Just think of the inefficiencies!!! If the environment was setup correctly, with limited but specific programs needed to get the job done, then most people would do fine on most any operating system. This is especially true if you spend most of your time in a web browser or specific application for most of your work. At my work MS office, outlook and IE are pretty m

Re:

[nasch]

Are trying to some how say those same 22 million people aren't wasting at least an hour or more a week on unofficial breaks and chat sessions?

And they would just stop doing that if they were switched to Linux? If it were so easy to get rid of inefficiencies, it would have been done already.

Re:

[Bert64]

For most use cases, a change to linux will be a minor adjustment to the UI - if they even notice at all, and depending on which UI they were using previously, and which UI you choose to run on top of linux.

There are also significant differences between windows xp/7/8/10, as well as various applications they might have been using, switching to a newer version of windows and msoffice can be as big of a change for many users as switching to linux.

Most of those users are probably already using linux in one form

Re:

[Actually, I do RTFA]

Oh, a conversion is possible, for sure. But the OP was saying "just have them learn Linux, then choose an office suite, and then..." The right way to approach it is to produce one highly unified official distro, with all those decisions made. Hide most of the changes underneath a easy-to-use GUI. Get help staff ready, etc.

Although, your point about "already running Linux" is disingenuous. While ChromeOS, Android and embedded systems may all run Linux, none of them feel like linux. Most Android users ca

The question to ask..

[lionchild]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

Re:

[Sean Clifford]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

For federal IT folks the penalty is public execution.

Re:

[pak9rabid]

Nothing, you just apply for an extension and it's typically granted.

Re:

[fahrbot-bot]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

You have to manage a network using McAfee HBSS [wikipedia.org].

Re:

[flink]

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

You have to manage a network using McAfee HBSS [wikipedia.org].

You joke, but that is, in fact, the apporved DoD solution:
https://www.disa.mil/cybersecu... [disa.mil]

Replacement?

[cogeek]

Wondering if they'll replace it with TrendMicro, because that would be so much more secure....

Re:

[khandom08]

They'll probably go with something like av360.

If this had been an actual emergency

[Sloppy]

The government is lucky this Kaspersky scare is bullshit, then. If this had been an actual emergency (e.g. the software were doing something bad, whether by design or due to some random bug that you can't fix because it's proprietary), sounds like everything would be totally fucked.

Re:

[Narcocide]

Yes, unfortunately the surest sign that Kapersky refused to act on behalf of the Russian government (and ours, apparently) is that this is even being considered in the first place.

Re:If this had been an actual emergency

[Aighearach]

It is a known fact that you don't have the information needed to determine it is "bullshit."

And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

Since knowledge of the evidence for the concern is classified, you don't know about it; and even if you had a security clearance, we know your job doesn't involve knowledge of these particulars because then you wouldn't be allowed to tell us. So by definition, you can't know it is bullshit; you either have reasons to believe it is a problem, because there is public information about what the danger is in losing control of a network, or you don't fucking know.

I'll give you a hint: If your opinions about network security are based on your domestic politics, you're a fucking idiot.

Re:If this had been an actual emergency

[Anonymous Coward]

Actually, the entire backstory of this whole farse is very widely known in cybersecurity circles, including the so-called "classified" facts (which are widely disseminated outside the US where said "classification" of otherwise widely known information is not relevant).

Here are the crib notes and timeline, without dates:

- Equation group leaks
- Equation Group software widely attributed to NSA in cybersecurity circles
- Kaspersky researchers tie Equation Group to creators of both stuxnet and Flame via forensic analysis (note they DO NOT call out NSA here, but anyone with half a brain can put 2 and 2 together)
- US military and/or NSA (not totally known as it is "classified") become involved in middle east anti-terrorism espionage using malware deployed on public wifi networks
- Kaspersky publishes research on said malware, again without attributing it to anyone, but making it public
- US military and/or NSA (not totally known as it is "classified") have to pull out of their espionage and invoke a burn order since they are exposed

To make it even shorter - Kaspersky did their job. Because their job exposed US government activities, the US government got pissed.

Re:

[Anonymous Coward]

This. Pretty obvious to anyone even remotely near the security consultancy field.
Combine that with all these accusations without anyone ever pointing out what and how the software is doing anything bad.

Re:

[rtb61]

Kind of stupid to ban and attack foreign software because of course that makes a giant target of all US software. The US government is basically broadcasting a public message that US software can not be trusted because they will put back doors in it. This because they failed to prove anything wrong with Kaspersky software, just that they expect the Russian government to do what the US government does with security letters.

M$ Windows anal probe 10, with it's unique to you updates, oh yeah, one security let

Re:

[Anonymous Coward]

Kapersky's biggest problem is that they have such a Russian sounding name. Can't they re-brand the product and name something like "Eagle Anti-Virus" or "Liberty Anti-Virus"? I think that might be the easiest way to solve this problem.

Re:

[Daralantan]

Crying Eagle Anti Virus!

Re:

[Anonymous Coward]

It is a known fact that you don't have the information needed to determine it is "bullshit."

Precisely right. Just because the US Government says that Kaspersky Lab Software is a risk validates nothing about there being an actual risk. Of course, that by definition makes the evaluation bullshit.

And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

If it's such an emergency and the whol

Re:

[gweihir]

Indeed. Fortunately, it still looks like Kaspersky's collusion with the Russian government is about as real as the WMDs in Irak. My personal take is still that Kaspersky is likely the only AV vendor that flat-out refused to work for the either NSA and that the US government is pissed at that.

Virus or Anti-Virus

[coolmoose25]

If you can't get your Anti-Virus software off of your equipment, is it really anti-virus, or has it just become another virus?

Re:

[gweihir]

Alternatively, they just have terminally incompetent and grossly underfunded IT people. That strikes me as a massively bigger risk than the alleged (but not really credible) risks from Kaspersky.

Huh?

[rsilvergun]

bullshit. Do a week of training with one of their competitors, uninstall the old stuff, install the new stuff, call it a day. None of this is difficult. These are software programs designed to take care of security for end users.

Re:

[AvitarX]

And if the issue is a piece of security software embedded in the equipment?

It sounds like it's a budgeting issue more than a capability one. They can't do it within their existing budget, not that they can't do it at all.

Re:

[Ichijo]

And if the issue is a piece of security software embedded in the equipment?

Then you use the "training" charge code to order new equipment because you've just been educated to demand open source hardware from now on!

Re:

[KiloByte]

You know that, and so do the admins of govt networks. But without the whining, their departments won't get that hundred million bucks of extra budget.

Re:Huh?

[dyfet]

I think you missed the part about "embedded in routers", etc...

Re:

[jbmartin6]

The article wasn't at all clear about what "code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware" means

I don't see the problem

[rsilvergun]

it's a bloody national security issue. Get the money for new hardware out of the Defense budget. There's no shortage of money there.

If it wasn't government, there would be a solution

[xxxJonBoyxxx]

>> Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with

In the real world, I'd go to Kaspersky's biggest competitors and say, "if you replace these guys on a one-to-one basis (at no charge this year), we'll give you their support contracts in future years."

I smell BS

[sheph]

A government agency with no slack in their budget? Inability to remove third party software because it's embedded too deeply? This has all the look and feel of another tax payer shakedown.

Way worse

[Impy the Impiuos Imp]

"We thought it was just the White House computers crawling with stuff helpful to Putin but it's worse than we thought!"

Nuclear Option

[meerling]

LoL, it's called "uninstall".
Of course, if you're still afraid they left some kind of spyware, then just Nuke & Pave.

Tossing the hardware because you can't figure out how to use an uninstall something is only a solution for a rich moron that's a complete computer illiterate.
Sure a bunch of the higher ups more or less fit that category, but it's not like they're the ones that'll be doing any of it in the first place.

For that matter, even if they buy new hardware, it'll still have to be configured and hav

Kaspersky ain't shit ...

[CaptainDork]

... compared to removing Avast.

Re:

[ebvwfbw]

I never had any trouble with it. I've de-installed, installed a number of time. No problem.

Some others like McAffee, Norton, some others hold onto your system for dear life. Like a tick. Seems like they are a virus.

Re:

[CaptainDork]

That's you.

How about some empathy for lay people?

Avast has a file that has to be downloaded; saved to Desktop; and executed in Safe Mode .

For those you mention, they are a bitch. I use Revo Uninstaller with deep remove.

Re:

[ebvwfbw]

If you're on slashdot, I'm going to presume you're not a lay person.

Maybe I'm expecting too much? Is slashdot so easy even a cave man could find it?

Re:

[CaptainDork]

So it's your position that lay persons don't use any of this shit?

Re:

[ebvwfbw]

So it's your position that lay persons don't use any of this shit?

You need to be more definitive in what you're asking about. Slashdot, anti-virus programs or removing them?
Doesn't matter I suppose. Sure, there are lay people on slashdot. Maybe you're one of them, who knows. You're not on facebook and you're not on twitter. Slashdot has always been more technically oriented. News for nerds, why would I expect you to not be a nerd? Maybe you missed that part? You're welcome to be here (even though some people on slashdot can be very abrasive), ask questions. However if yo

Incredibly stupid

[darkonc]

The US government using Russian-made software to secure their machines is like the time that they let Russian workers build the Moscow embassy [wikipedia.org]. It ended up being so bug-ridden that they had to rebuild parts of the new building in order to have a secure zone.

All foreign software/hardware is a risk.

[gestalt_n_pepper]

Don't think there are backdoors in Asian chips and boards?

Don't think there are other vulnerabilities put into software outsourced to India, China or Eastern Europe?

If so, you're an idiot, or just possibly a naive, uninformed, incompetent military/security timeserver more concerned with saving money and getting a good review than with actual national security.

Or maybe you're just stupid enough to trust our silicon valley overlords who do the actual outsourcing. I'm sure they give a shit about national secur

Uninstalls should be tested early.

[middlebass]

When software is tested the testing should include the ease of a full uninstall, plus some regression testing to be sure the uninstall didn't have side effects. I stopped buying Logitech products about 15 years ago when one uninstall had side effects that took me 8 hours to fix.