It’s funny…  I was meaning to comment on Kaspersky for a while, but I kept putting it off.  I put it off so long that a whole news cycle came around to which the draft I was putting together seems maybe useful again.  And voilà… today’s post about Kaspersky.

As of today, we have anonymous reports saying that Russia obtained NSA information (like, remember the ShadowBrokers thing) using a copy of Kaspersky.  It’s unclear whether or not Kaspersky (the company, not the software) was specifically and purposefully involved in obtaining the information.  But in truth, it’s probably not good for their business either way.

This thing with Kaspersky has been going on for a while as folks might remember – back in July, for example, you might recall that the GSA removed Kaspersky from the list of approved products for US Government use because of suspected connections between the company and Russian intelligence.  Then,  Jeanne Shaheen (Senior Granite State Senator) has said publicly that extensive ties exist and has introduced legislation that would prevent the use of Kaspersky products on US Government computers.

My opinion?  Look, I’m not into the conspiracy theories, but here’s the deal.  Remember that time that the NSA paid RSA 10 million dollars to use the known-weak Dual_EC_DRBG as the default in BSAFE?  I do.  If the NSA can get under the covers of RSA and manipulate them (a crypto company started by friggin mathematicians) to set extreme foolishness a potentially weak algorithm as the default, I feel pretty confident that Russia could get old Eugene to pull some shenanigans on his consumer AV product.  Sound far fetched?  Maybe.  But let’s not forget that Eugene Kaspersky graduated from KGB school.  He served with Soviet military intelligence and met his wife at a KGB resort. Is it far fetched to think that someone might convince him to maybe accidentally-on-purpose make a string manipulation error in the software that’s easily exploited?  You could make this kind of thing look like an accident – to the point that even a code review (which he’s offered to do) might either not catch it or might look like an unintentional error.  If the NSA can get RSA to do it, I feel like someone could lean on Eugene enough (particularly if he knows them) to get him to do something similar.

As for me, I myself have always been a bit ambivalent about using Kaspersky.  Like, IMHO, if you want to pay some vendor instead of using something free, more power to you.  But I always figured people went into using Kaspersky with their eyes open, you know?  Eugene has been pretty open about his background – he’s made no attempt to hide his connections to Russian intelligence.  So I sort of figured it was a given that there’s a backdoor potential.  It’s hard to read one way or the other, because on the one hand he’s been pretty open with offering to provide source code for inspection…on the other hand, KGB.

Would I use it?  No… but again, not because I’m worried about Russian intelligence (as demonstrated by EternalBlue, if they want in and target you, chances are good they can get in).  Instead, it’s a no because I’m not interested in paying somebody money for what I can get for free elsewhere. AV is fungible, so I’m going with free.

Would I use it for a government contractor?  This is a different question.  From an abundance of caution standpoint, I guess I’d have to say I probably wouldn’t.  But the root cause of “no” in that case probably has more to do with me not wanting someone to armchair quarterback the decision down the road vs. being actively worried about nation-state attackers.