Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government United States

US Government Can't Get Controversial Kaspersky Lab Software Off Its Networks (thedailybeast.com) 127

The law says American agencies must eliminate the use of Kaspersky Lab software by October. But U.S. officials say that's impossible as the security suite is embedded too deep in our infrastructure, The Daily Beast reported Wednesday. From a report: Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware -- and nobody is certain how to get rid of it. "It's messy, and it's going to take way longer than a year," said one U.S. official. "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of "any hardware, software, or services developed or provided, in whole or in part," by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed "Kaspersky-branded" products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky's presence in federal networks in the wake of Russia's 2016 election interference campaign.

This discussion has been archived. No new comments can be posted.

US Government Can't Get Controversial Kaspersky Lab Software Off Its Networks

Comments Filter:
  • We must read the story of Helen of Troy, and the Trojan horse. Most bolshy applicable.
    • by khandom08 ( 1319863 ) on Wednesday May 23, 2018 @02:38PM (#56661132)

      It's Trojan horses all the way down....

  • by Anonymous Coward

    ~20 years of NSA infiltrating network components, who would have expect the other side to do the same...

  • by Anonymous Coward

    There still has not been any proof or even shady evidence offered that Russia changed a single ballot or tampered with a single voting machine, or had agents at a single polling place to interfere with the election process..

    Exercising the right of free speech in order to influence the way people think is called "politics," not "interfering with an election."

    Foreign interests have "interfered" with our elections since the birth of the nation. It's nothing new. Get over yourselves.

    • by Anonymous Coward

      exactly... and if everyone is so sensitive to influence.. why is the DNC not being investigated for paying $700k to Christopher Steele for that "fake" dossier based off intel given by another Mi6 asset, who just happened to work for the Clinton foundation

      https://disobedientmedia.com/2018/04/all-russiagate-roads-lead-to-london-as-evidence-emerges-of-joseph-mifsuds-links-to-uk-intelligence/

  • wipe the drives of EVERYTHING!!!

    install Linux, problem solved, tell all the users they need to brush up on their computer skills and quit surfing porn for 6 months, that should give them time to learn their way around the basics of using Linux for a desktop workstation operating system, libreoffice or openoffice whatever the user chooses,
    • , libreoffice or openoffice whatever the user chooses,

      Step 1 in using Linux in an environment beyond your personal use: Make all those decisions for the users.

      Step 2: Recognize that making 22 million people take even a 1 hour class (let alone "6 month") is a cost of more than half a billion dollars. Therefore, anything you can do to make it easier to learn is worth doing.

      • Are trying to some how say those same 22 million people aren't wasting at least an hour or more a week on unofficial breaks and chat sessions? Just think of the inefficiencies!!! If the environment was setup correctly, with limited but specific programs needed to get the job done, then most people would do fine on most any operating system. This is especially true if you spend most of your time in a web browser or specific application for most of your work. At my work MS office, outlook and IE are pretty m
        • by nasch ( 598556 )

          Are trying to some how say those same 22 million people aren't wasting at least an hour or more a week on unofficial breaks and chat sessions?

          And they would just stop doing that if they were switched to Linux? If it were so easy to get rid of inefficiencies, it would have been done already.

      • by Bert64 ( 520050 )

        For most use cases, a change to linux will be a minor adjustment to the UI - if they even notice at all, and depending on which UI they were using previously, and which UI you choose to run on top of linux.

        There are also significant differences between windows xp/7/8/10, as well as various applications they might have been using, switching to a newer version of windows and msoffice can be as big of a change for many users as switching to linux.

        Most of those users are probably already using linux in one form

        • Oh, a conversion is possible, for sure. But the OP was saying "just have them learn Linux, then choose an office suite, and then..." The right way to approach it is to produce one highly unified official distro, with all those decisions made. Hide most of the changes underneath a easy-to-use GUI. Get help staff ready, etc.

          Although, your point about "already running Linux" is disingenuous. While ChromeOS, Android and embedded systems may all run Linux, none of them feel like linux. Most Android users ca

  • by lionchild ( 581331 ) on Wednesday May 23, 2018 @02:43PM (#56661174) Journal

    The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

    • The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

      For federal IT folks the penalty is public execution.

    • Nothing, you just apply for an extension and it's typically granted.
    • The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

      You have to manage a network using McAfee HBSS [wikipedia.org].

      • by flink ( 18449 )

        The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

        You have to manage a network using McAfee HBSS [wikipedia.org].

        You joke, but that is, in fact, the apporved DoD solution:
        https://www.disa.mil/cybersecu... [disa.mil]

  • Wondering if they'll replace it with TrendMicro, because that would be so much more secure....
  • by Sloppy ( 14984 ) on Wednesday May 23, 2018 @02:57PM (#56661276) Homepage Journal

    The government is lucky this Kaspersky scare is bullshit, then. If this had been an actual emergency (e.g. the software were doing something bad, whether by design or due to some random bug that you can't fix because it's proprietary), sounds like everything would be totally fucked.

    • Yes, unfortunately the surest sign that Kapersky refused to act on behalf of the Russian government (and ours, apparently) is that this is even being considered in the first place.

    • by Aighearach ( 97333 ) on Wednesday May 23, 2018 @03:38PM (#56661530)

      It is a known fact that you don't have the information needed to determine it is "bullshit."

      And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

      Since knowledge of the evidence for the concern is classified, you don't know about it; and even if you had a security clearance, we know your job doesn't involve knowledge of these particulars because then you wouldn't be allowed to tell us. So by definition, you can't know it is bullshit; you either have reasons to believe it is a problem, because there is public information about what the danger is in losing control of a network, or you don't fucking know.

      I'll give you a hint: If your opinions about network security are based on your domestic politics, you're a fucking idiot.

      • by Anonymous Coward on Wednesday May 23, 2018 @04:41PM (#56661898)

        Actually, the entire backstory of this whole farse is very widely known in cybersecurity circles, including the so-called "classified" facts (which are widely disseminated outside the US where said "classification" of otherwise widely known information is not relevant).

        Here are the crib notes and timeline, without dates:

        - Equation group leaks
        - Equation Group software widely attributed to NSA in cybersecurity circles
        - Kaspersky researchers tie Equation Group to creators of both stuxnet and Flame via forensic analysis (note they DO NOT call out NSA here, but anyone with half a brain can put 2 and 2 together)
        - US military and/or NSA (not totally known as it is "classified") become involved in middle east anti-terrorism espionage using malware deployed on public wifi networks
        - Kaspersky publishes research on said malware, again without attributing it to anyone, but making it public
        - US military and/or NSA (not totally known as it is "classified") have to pull out of their espionage and invoke a burn order since they are exposed

        To make it even shorter - Kaspersky did their job. Because their job exposed US government activities, the US government got pissed.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          This. Pretty obvious to anyone even remotely near the security consultancy field.
          Combine that with all these accusations without anyone ever pointing out what and how the software is doing anything bad.

        • by rtb61 ( 674572 )

          Kind of stupid to ban and attack foreign software because of course that makes a giant target of all US software. The US government is basically broadcasting a public message that US software can not be trusted because they will put back doors in it. This because they failed to prove anything wrong with Kaspersky software, just that they expect the Russian government to do what the US government does with security letters.

          M$ Windows anal probe 10, with it's unique to you updates, oh yeah, one security let

        • by Anonymous Coward

          Kapersky's biggest problem is that they have such a Russian sounding name. Can't they re-brand the product and name something like "Eagle Anti-Virus" or "Liberty Anti-Virus"? I think that might be the easiest way to solve this problem.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        It is a known fact that you don't have the information needed to determine it is "bullshit."

        Precisely right. Just because the US Government says that Kaspersky Lab Software is a risk validates nothing about there being an actual risk. Of course, that by definition makes the evaluation bullshit.

        And you never would have it. And the second part of what you said is therefore the whole part that isn't bullshit; it might be an emergency, in which case the network is fucked.

        If it's such an emergency and the whol

    • by gweihir ( 88907 )

      Indeed. Fortunately, it still looks like Kaspersky's collusion with the Russian government is about as real as the WMDs in Irak. My personal take is still that Kaspersky is likely the only AV vendor that flat-out refused to work for the either NSA and that the US government is pissed at that.

  • by coolmoose25 ( 1057210 ) on Wednesday May 23, 2018 @02:57PM (#56661278)
    If you can't get your Anti-Virus software off of your equipment, is it really anti-virus, or has it just become another virus?
    • by gweihir ( 88907 )

      Alternatively, they just have terminally incompetent and grossly underfunded IT people. That strikes me as a massively bigger risk than the alleged (but not really credible) risks from Kaspersky.

  • Huh? (Score:4, Insightful)

    by rsilvergun ( 571051 ) on Wednesday May 23, 2018 @03:01PM (#56661314)
    bullshit. Do a week of training with one of their competitors, uninstall the old stuff, install the new stuff, call it a day. None of this is difficult. These are software programs designed to take care of security for end users.
    • by AvitarX ( 172628 )

      And if the issue is a piece of security software embedded in the equipment?

      It sounds like it's a budgeting issue more than a capability one. They can't do it within their existing budget, not that they can't do it at all.

      • by Ichijo ( 607641 )

        And if the issue is a piece of security software embedded in the equipment?

        Then you use the "training" charge code to order new equipment because you've just been educated to demand open source hardware from now on!

    • You know that, and so do the admins of govt networks. But without the whining, their departments won't get that hundred million bucks of extra budget.

    • Re:Huh? (Score:4, Informative)

      by dyfet ( 154716 ) on Wednesday May 23, 2018 @03:22PM (#56661426) Homepage

      I think you missed the part about "embedded in routers", etc...

      • The article wasn't at all clear about what "code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware" means
      • it's a bloody national security issue. Get the money for new hardware out of the Defense budget. There's no shortage of money there.
  • by xxxJonBoyxxx ( 565205 ) on Wednesday May 23, 2018 @03:03PM (#56661324)
    >> Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with

    In the real world, I'd go to Kaspersky's biggest competitors and say, "if you replace these guys on a one-to-one basis (at no charge this year), we'll give you their support contracts in future years."
  • A government agency with no slack in their budget? Inability to remove third party software because it's embedded too deeply? This has all the look and feel of another tax payer shakedown.
  • "We thought it was just the White House computers crawling with stuff helpful to Putin but it's worse than we thought!"

  • LoL, it's called "uninstall".
    Of course, if you're still afraid they left some kind of spyware, then just Nuke & Pave.

    Tossing the hardware because you can't figure out how to use an uninstall something is only a solution for a rich moron that's a complete computer illiterate.
    Sure a bunch of the higher ups more or less fit that category, but it's not like they're the ones that'll be doing any of it in the first place.

    For that matter, even if they buy new hardware, it'll still have to be configured and hav
  • ... compared to removing Avast.

    • by ebvwfbw ( 864834 )

      I never had any trouble with it. I've de-installed, installed a number of time. No problem.

      Some others like McAffee, Norton, some others hold onto your system for dear life. Like a tick. Seems like they are a virus.

      • That's you.

        How about some empathy for lay people?

        Avast has a file that has to be downloaded; saved to Desktop; and executed in Safe Mode .

        For those you mention, they are a bitch. I use Revo Uninstaller with deep remove.

        • by ebvwfbw ( 864834 )

          If you're on slashdot, I'm going to presume you're not a lay person.

          Maybe I'm expecting too much? Is slashdot so easy even a cave man could find it?

          • So it's your position that lay persons don't use any of this shit?

            • by ebvwfbw ( 864834 )

              So it's your position that lay persons don't use any of this shit?

              You need to be more definitive in what you're asking about. Slashdot, anti-virus programs or removing them?
              Doesn't matter I suppose. Sure, there are lay people on slashdot. Maybe you're one of them, who knows. You're not on facebook and you're not on twitter. Slashdot has always been more technically oriented. News for nerds, why would I expect you to not be a nerd? Maybe you missed that part? You're welcome to be here (even though some people on slashdot can be very abrasive), ask questions. However if yo

  • The US government using Russian-made software to secure their machines is like the time that they let Russian workers build the Moscow embassy [wikipedia.org]. It ended up being so bug-ridden that they had to rebuild parts of the new building in order to have a secure zone.
  • Don't think there are backdoors in Asian chips and boards?

    Don't think there are other vulnerabilities put into software outsourced to India, China or Eastern Europe?

    If so, you're an idiot, or just possibly a naive, uninformed, incompetent military/security timeserver more concerned with saving money and getting a good review than with actual national security.

    Or maybe you're just stupid enough to trust our silicon valley overlords who do the actual outsourcing. I'm sure they give a shit about national secur

  • When software is tested the testing should include the ease of a full uninstall, plus some regression testing to be sure the uninstall didn't have side effects. I stopped buying Logitech products about 15 years ago when one uninstall had side effects that took me 8 hours to fix.

Avoid strange women and temporary variables.

Working...