{"id":307,"date":"2017-07-12T13:53:11","date_gmt":"2017-07-12T13:53:11","guid":{"rendered":"http:\/\/securitycurve.com\/?p=307"},"modified":"2017-07-12T13:53:11","modified_gmt":"2017-07-12T13:53:11","slug":"kaspersky-goes-under-the-bus","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=307","title":{"rendered":"Kaspersky goes under the bus"},"content":{"rendered":"

\"\"<\/a>So today we got news that the US GSA has removed Kaspersky<\/a> from the approved list of technology vendors for which US government agencies can procure technology. \u00a0This, as you might imagine limits in turn agencies from procuring and deploying Kaspersky products.<\/p>\n

Why did they get removed? \u00a0Well, the argument is that Kaspersky is based in Russia. \u00a0And there have long been rumors<\/a> that they are closely affiliated with Russian intelligence – maybe even to the extent that the security provided can be (or comes “stock”) deliberately undermined. \u00a0 Do they have connections with Russian intelligence? \u00a0Who knows. \u00a0Maybe. \u00a0Most security practitioners nowadays have at least a passing, cursory interaction with the intelligence community. \u00a0Is the software deliberately compromised? \u00a0I doubt it, but a scenario whereby a request from a government representative or intelligence official – such as, for example, refraining from disclosing information about a malware sample for a few days, might to be entirely out of the ream.<\/p>\n

Another theory is that they were removed strictly for political reasons. \u00a0Maybe because of the optics associated with limiting Russian intelligence interference capability? \u00a0I’m not sure I follow this line of argument fully, so I’ll just state that it exists and refrain from further speculation about what it might or might not be.<\/p>\n

Either way though, it highlights the reason why it’s not a good idea for governments to become too involved in the business of providing security services or products. \u00a0It’s happened before. \u00a0Like, for example, do you remember the story of Dual_EC_DRBG<\/a>? \u00a0If you don’t, the deal was that the NSA pushed really hard for a known-weak random number generator to be adopted. \u00a0It was – in fact, it was codified by NIST as one of the key standards for generating randomness. \u00a0The NSA arguably knew it was broken (hey, at least they can get in, so who cares right?). \u00a0Some in the broader community barked at the time, but nevertheless it made it through the process. \u00a0And, the US government allegedly paid RSA 10 million dollars<\/a>\u00a0to make it the default in the standard cryptography toolkit that everyone used at the time. \u00a0So that probably wasn’t good. \u00a0It is, in fact, possible that this decision by RSA has something to do with the fact that BSAFE doesn’t have the ubiquity that it once did.<\/p>\n

It also highlights I think the conflict of interest that arises by virtue of countries allowing offensive cyberwarfare capabilities from influencing the commercial entities that reside within their sphere of influence. \u00a0Is there an answer? \u00a0Not sure I know of one. \u00a0But it’s another link in the continuing chain of highlighting why government interaction with security tool vendors should be closely scrutinized.<\/p>\n

The upshot of this is that Kaspersky probably will suffer a decline as a result of this. \u00a0If other government follow suit, they’ll lose some revenue share. \u00a0Moreover, if people start to think that Kaspersky has been deliberately compromised or influenced by Russian intelligence, it could really<\/strong> undermine their ability to compete. \u00a0Commercial AV is pretty much fungible – if it’s a choice between someone who maybe\/maybe-not is in cahoots with a nation state intelligence service vs. another one that costs more or less the same and isn’t, most people will tend to choose the one that doesn’t have any suspicion associated with it.<\/p>\n","protected":false},"excerpt":{"rendered":"

So today we got news that the US GSA has removed Kaspersky from the approved list of technology vendors for which US government agencies can procure technology. \u00a0This, as you might imagine limits in turn agencies from procuring and deploying Kaspersky products. Why did they get removed? \u00a0Well, the argument is that Kaspersky is based […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[72],"class_list":["post-307","post","type-post","status-publish","format-standard","hentry","category-security","tag-kaspersky"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=307"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/307\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}