Kaspersky Lab Hits Back with Global Transparency Initiative

[frogboy]

Under-fire cybersecurity giant Kaspersky Lab has launched a new transparency initiative which will see its source code offered up for independent review.

The firm’s Global Transparency Initiative aims to restore trust in the company at a time when its products have been banned by the US government amid reports of Russian intelligence using them to spy on targets.

The initiative promises an independent review of the vendor’s source code by Q1 2018, to be followed by similar reviews of its software updates and threat detection rules after that.

Kaspersky Lab also set out plans for an independent assessment of its secure development lifecycle processes and its software and supply chain risk mitigation strategies by Q1 next year, and claimed it will ask an independent third party to test compliance with a newly developed set of controls governing data processing practices.

Other aspects of the initiative include the creation of three new Transparency Centres where trusted partners can access reviews of the company’s code, software updates, and threat detection rules, among other things.

These will be located in the US, APAC and Europe, with the first center planned to launch next year.

The Moscow-headquartered vendor also announced an increase in bug bounty payments for its Coordinated Vulnerability Disclosure program to £75,000 ($100,000).
Read More Kaspersky Lab Hits Back with Global Transparency Initiative

 

[cruelsister]

This Initiative is an insult to one's intelligence. No one is accusing K of having a hidden backdoor in the code. No One. But this does not mean that a backdoor cannot be installed during an "AV Update" as Comrade E fully knows.

I personally find it offense to be talked to like I am an idiot.

 

[mlnevese]

What else can they do? People are accusing them of being a potential spy tool to the Russians so Kaspersky is offering 3rd party access to their current code, future updates and even signature updates exactly because people would say "Oh there's no backdoor now but there may be in the future"...

I'm more worried with the fact that such full exposure may be a cause for source code leak.

 

[silfmus]

A antivirus company really need the trust of their customers - home and business. If one of the top 3 economy of the world says your product spies on them, there's no way to keep the trust guaranteed. What else can they do in this situation? This may, or may not, restore the trust of the customers, specially the business ones. Let's see what will happen.

 

[plat1098]

News of the Initiative is better received by less-savvy people like me who take it at face value because I very much want to believe K's conscience is clear plus the great respect I have for all the research and development. If it's proven this is just another piece of an elaborate cover, well, you know what they say about getting off the pot. What's holding you back?

 

[Deleted member 65228]

I'm more worried with the fact that such full exposure may be a cause for source code leak.

It has happened before. It happened to Norton as well, and probably other vendors. There is nothing to worry about though, because these leaks all happened a very long time ago (years such as 2006 or 2008 as far as I know). I believe they found out who was responsible as well, and people were arrested and prosecuted if I recall correctly. The chances are it was a raging employee who disagreed with something and back-stabbed them, or who was fired and had content outside of work (just speculation).

In fact, partial source code from Win2k was leaked (around 2004 I think). Despite it being illegal, I doubt Microsoft have cared about this recently... Maybe they cared about it back then, but Windows has changed so much. There are millions and millions of lines of new/changed code since. People have gone through and found interesting things regarding the comments (implying that employees were not "sober" at the time when working on things) at the time of the leak, there were articles dating back from around 2004 about it.

 

[mlnevese]

It has happened before. It happened to Norton as well, and probably other vendors. There is nothing to worry about though, because these leaks all happened a very long time ago (years such as 2006 or 2008 as far as I know). I believe they found out who was responsible as well, and people were arrested and prosecuted if I recall correctly. The chances are it was a raging employee who disagreed with something and back-stabbed them, or who was fired and had content outside of work (just speculation).

In fact, partial source code from Win2k was leaked (around 2004 I think). Despite it being illegal, I doubt Microsoft have cared about this recently... Maybe they cared about it back then, but Windows has changed so much. There are millions and millions of lines of new/changed code since. People have gone through and found interesting things regarding the comments (implying that employees were not "sober" at the time when working on things) at the time of the leak, there were articles dating back from around 2004 about it.

I was thinking about that when I made my comment... but the fact is that exposing their code to a 3rd party raises the danger of a leak an order of magnitude...

BTW Microsoft programmers being drunk while coding Windows would explain a lot of things

 

[bribon77]

The damage is already done, no matter how much K speaks, I don't think there's a solution.

 

[Deleted member 65228]

This Initiative is an insult to one's intelligence. No one is accusing K of having a hidden backdoor in the code. No One. But this does not mean that a backdoor cannot be installed during an "AV Update" as Comrade E fully knows.

I agree with you, but I also think it can be a good idea for people to audit the source code. You are right in my eyes though, because they can have their source code audited as much as people like, but the fact of the matter is they could have added a backdoor at any time in the past and since removed it, or add one any-time in the future after auditing.

There will be so much source code, I doubt people will know where to start. It will take more than a few people to get through it in that time length and understand every single aspect or what is going on.

It is bound to be in the millions of lines of code, and will require people auditing with a wide variety of knowledge on (including but not limited to): Windows Internals (general knowledge); kernel-mode development (Windows Internals), user-mode development... With a wide variety of language expertise (probably 32-bit and 64-bit Assembly, C, C++ among many others). The employees at Kaspersky may follow a specific programming style for code structure and management as well (e.g. anything from function and variable naming conventions to general lay-out) which can make it tricky to be read by someone with experience using a different style, and so on.

The source code can be audited to death but it doesn't mean the people responsible for auditing won't miss things, even if there is anything "intriguing" of suspicion there. Kaspersky aren't stupid enough to leave anything fishy in there even if there was in the first place before auditing anyway...

I personally don't think there is anything to worry about with Kaspersky, but what can they do? People are starting to lose trust in them. Maybe they are running out of ideas and want to find ways to gain back trust...

 

[Kubla]

The damage is already done, no matter how much K speaks, I don't think there's a solution.

Perhaps what is needed is some kind of "open source" backdoor detection software that can analyze a programs behavior and detect/report/block abnormal behavior or changes in its routine removing the ability for software developers to put backdoors in at all.

Something like VoodooShield with an AI that can detect changes in an applications behavior even after it has been set to trusted.

 

[bribon77]

Perhaps what is needed is some kind of "open source" backdoor detection software that can analyze a programs behavior and detect/report/block abnormal behavior or changes in its routine removing the ability for software developers to put backdoors in at all.

Something like VoodooShield with an AI that can detect changes in an applications behavior even after it has been set to trusted.

Not if I trust K completely, but what has been said has no solution. Some will trust and some won't.

 

[Deleted member 65228]

Perhaps what is needed is some kind of "open source" backdoor detection software that can analyze a programs behavior and detect/report/block abnormal behavior or changes in its routine removing the ability for software developers to put backdoors in at all.

You'll be wasting your time, it won't work out well. Neither will it be effective.

 

[FleischmannTV]

The source code of the client-side software is only one part of the equation. Server-side vulnerabilities of a cloud-AV vendor are at least as important.

 

[Deleted member 178]

The source code of the client-side software is only one part of the equation. Server-side vulnerabilities of a cloud-AV vendor are at least as important.

Even more to me. Any attacker could theoretically modify its rules (say blacklisting critical Windows Processes) to bring havoc on millions of systems in the world, which in a "cyberwar" situation is critical.

 

[509322]

This Initiative is an insult to one's intelligence. No one is accusing K of having a hidden backdoor in the code. No One. But this does not mean that a backdoor cannot be installed during an "AV Update" as Comrade E fully knows.

I personally find it offense to be talked to like I am an idiot.

It's media hype to make it appear as if the "issue" is being addressed when, in fact, the real issue isn't even a part of the initiative.

Plus, watch all the nonsense that gets posted about the U.S. bashing Kaspersky on the forums. The "commentators" don't even know what the real issue is.

 

[MBYX]

From what i understood at a glance, Russian operatives had access to data coming back to Klabs through Russian based servers
Revealing source code is like saying.
"Hey here's the inside of my house! .. while ignoring the car equipped with cameras that i loaded all your valuables in and had someone else drive over with."
The only way for them to restore trust would be as follows.

* Close all Russian based offices and relocate to western bloc country.
* Move all infrastructure to western aligned country with no affiliation to the eastern bloc

basically server any tie to Russia.
Its now becoming more clear that the treason charges earlier this year was because someone wouldn't play ball.

putting your code up for review is not going to gain any trust if anything it will just ensure a win for blackhat's looking for exploits in it and be a final nail in your coffin.

 

[cruelsister]

Lockdown- Exactly! The general public believes that CyberDefense only has the same data that is available to the Great Unwashed when this is far from the case. Sadly the methods of data acquisition had to be withheld from the previous administration due to these methods probably being divulged (either from Ultra-Liberalism or Treason- as if there is a difference). But finally there are Folk who have the Ears to Hear and the Brains to Understand in power, and thus the ban.

Although I totally understand, it does sadden and frustrate me that those for whom we work (very hard) to be maintained Fat and Happy in the ignorant bliss of CloudCuckooLand have the GodDamned Gall to call us Stupid (a comment on Wilders) as if all relevant information comes from CNN.

(I apologize in advance for this cryptic rant).

 

[509322]

(I apologize in advance for this cryptic rant).

It's unencrypted to me.'

A fantastical, untrue, but hypothetical story from the other side of the coin:

"I worked for U.S. intelligence in an upper room. I now work for U.S. based security soft vendor XYZ. Half my agent bros now work for it too. Some were field guys others basement guys. We're all still professionally cozy. Good, old boy alliances and relationships. Everything is technically proper though. There is no undue influence or conflict of interest between the parties. Russia won't let us sell our product on their soil. Gee... I wonder why."

 

[grumpy_joe]

How others see the news: Kaspersky, I am worthy of you

How I see the news: Can't wait for the wave of new exploits in Kaspersky!
Starting from 2018.

 

[plat1098]

The only way for them to restore trust would be as follows.

* Close all Russian based offices and relocate to western bloc country.
* Move all infrastructure to western aligned country with no affiliation to the eastern bloc

Well, to mangle a colloquial saying: You can take the good ol' boy out of Russia but you can't take Russia out of the good ol' boy.

Just being the :devil: because it's fun and I like it.