McCarthy Lives
And so does the House Committee on Un-American Activities.
Despite pending legislation to ban US federal government offices from using Kaspersky Lab security software, Homeland Security has issued a Binding Operational Directive demanding that the products be removed within 90 days. The directive gives government IT managers 30 days to identify which – if any – of their systems have …
As I said before here, it's purely Chinese whispers made by Americans about a Russian company. There is not a shred of evidence, but Kaspersky has a history of refusing to whitelist ANY government spyware.
This is thus either payback, or the agencies are gearing up to raid the homeland and don't want Kaspersky to give the game away. Or both.
First of all this brings me back to the news surrounding the 50's and 60's. You see; although the US claims to be the "land of the free" it really should be mentioned that this is "the land of the free to do as we tell you". Back in those days, the days of the cold war, the US disliked everything even closely related to communism. But worse: plenty of innocent people (from civilians to more well known people) saw their careers and reputation getting ruined because... .. the government suspected that they might be sympathetic towards communism. In other words: thought crimes. They didn't condemn people for the way they acted and/or behaved, nope, but for what they might have believed. Of course this backfired eventually and many "high class" politicians were forced to step down, but the damage had been done nonetheless.
The witch hunts all over again.
Isn't this a bit of the same? See, there's another thing I have a problem with:
"The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks"
Doesn't the same apply to US laws? I mean... just look at the NSA and Apple encounter, Apple was pretty much forced to comply to their wishes and only after Apple went public with the whole thing and still stood their ground things went sour for the US (after which even the president started mentioning stuff like "unpatriotic acts").
Can we now conclude that it is official then? So it's down to "Do as we say, not as we do"?
There's a word for that... when you uphold double standards and double morales....
Thing is, McCarthy was right: The United States political infrastructure in particular *is* indeed infested with Communists. Well, okay, maybe not card-carrying members of a Communist party, but post-modernist Marxist-Leninist worshippers. From Hillary Clinton right down. American universities are fucking INFESTED with them.
Burn them.
Burn them with fire.
Yep. It's hunting for an enemy because there is the possibility that people may start to get wise to "the war on [non-entity]" that results in unending warlike behavior. It's one of the main reasons I have a love/hate relationship with Rand Paul. Sometimes he's just a bit too far out there like it should be the state's right to decide on whether marriage is strictly hetero or allows homo which is total bullshit because the state has no business getting involved in the relationships between consenting adults. Other times it seems like he is the only member of congress who has any lucid thoughts at all.
It was pretty messed up. I enlisted in the USAF in 1965. As a youth I was a shortwave listener. Radio Moscow was easy to hear and I got a few QSLs from them. When they started sending me propaganda I wrote and asked them to stop. They did. (Now I'm sorry -- the stuff might be worth a lot!) When I got my ham license I managed to contact a few Russians, but our Morse Code conversations were very short: the Russians' names, cities, transmitter power and antenna.
I only needed a Secret clearance for my job, but there was a background check. When I went to start my first assignment, my clearance hadn't come through. Went to find out why. Turns out some neighbor had reported that I listened to R Moscow and talked to Russians (Mom must have blabbed) and my file was set aside and forgotten. After a few questions the officer laughed and my clearance went through. This was the state of paranoia in the 60s, and I've never forgotten it. Or the uptight neighbor I'm sure was the culprit. Probably getting even with me for interfering with their TV.
Seems to me the Kaspersky ban has little to do with national security. It's just another way to take a poke at the Russians, after the fact. The horses got out and the horse's ass is in the White House. But no one knows what to do about that, so they pick the low-hanging fruit.
...maybe they will evolve their own OS and software. We all (I think) know the none-too glorious history of Red Flag Linux, so the presumption has been that they can't or won't, or that they won't stick at it.
But it is a very interesting thought exercise to consider how much of the US domination of tech is purely down to the dominance of two operating systems, Windows and Android. If the US government keep the pressure on Russia and China, then maybe the next two most powerful countries on earth might conclude that they really should break away from these two companiies' products.
No commercial monopoly lasts forever. Maybe the DoHS have just signed the death warrant of Microsoft and Google's supremacy? In the grand sweep of history, that doesn't seem impossible.
If I'm not mistaken, China is already using it's own version of Linux.
Given the current push on security, global knowledge of NSA activity and Microsoft's dismal handling of Windows 1 0 updates, I'm guessing that, in the next twenty years, there will be more country-based versions of Linux. Okay, scratch that, I'm hoping there will be.
One thing is for sure though, there will be a lot more encryption going around, and there's nothing any so-called democratic government can do about that because businesses (aka the real money men) need that to inspire confidence in the sheeple.
US government seems determined to make life hard for Microsoft! First they try to scupper any hopes for MS's AWS services in Europe by acting like they own MS's data servers in Ireland. They carry out mass-surveillance on European allies ("This is not what friends do" - Angela Merkel's beautiful summary). And they introduce laws that allow them to force US tech companies to assist them in surveillance and criminalise telling that they do so. And now they're practically asking Russia to use GNU/Linux more!
And I thought El Reg commentards hated Microsoft!
As a longtime Linux user, you can put me in that category.
Due to this freak of nature named 'Irma', I have been forced to flee my home and take refuge elsewhere.
Getting on-line wasn't that hard, but, since I didn't drag my PC with me, I am forced to borrow a laptop infected with Windows WindlowZE
$DEITY damn do I hate WindblowZE!!!!
"They carry out mass-surveillance on European allies ("This is not what friends do" - Angela Merkel's beautiful summary)."
I agree with her on principle, but spying among allies is nothing new. Germany may have been doing the same to the US, "what friends do" or otherwise:
http://www.telegraph.co.uk/news/2017/06/22/germany-accused-hypocrisy-claims-spied-usa/
As far as the NSA goes, they would likely react to Merkel's statement like she was speaking Martian. "What do you mean, we don't spy on friends? We spy on everyone!" Which they do-- their own countrymen among them, ostensibly protected by the US Constitution*, the people that they as public servants are supposed to be serving. They spy on everyone. Such is the nature of government... in this age when mass surveillance is cheaper and easier than ever before because of technology, the US is far from the only surveillance state in the developed world. Sadly.
As far as the US government making Microsoft's life difficult... well, that's what they do. They're not out being hostile to the world so they can be nice to American businesses or citizens. They're just flat out hostile to everyone, without exception. They're not out to promote the interests of American people or American businesses... that's the excuse they may give when some politician wants to show his constituents that he's "doing something" about the NSA, but the reality is that they're only interested in the interests of the US government and the NSA specifically, which makes them opponents of American business interests and American citizens, not friends.
In short, we Americans don't like them either, but they do whatever they want regardless of what elected officials may claim they want. As the oft-cited quote that may or may not have been said by Mark Twain goes, "If voting mattered, they wouldn't let us do it." (The quote's authenticity has been questioned, but it's a fitting statement of affairs even if some unfamous person made it up.)
"Maybe the DoHS have just signed the death warrant of Microsoft and Google's supremacy?" As far as OSes, Bloat is probably much more vulnerable because it is closed source. Android, or a good chunk of it, is open source. It is much easier to hide backdoors in closed source than open source as only a small number people can ever see the closed source code. Open source, by design, allows any to review the code, compile it, etc. so in theory the backdoors could be found by anyone (in practice most do not review the code). All that would be needed is for a few countries to ban Bloat until it is open source and replace it with a Linux distro.
Apple may get caught in the crossfire.
I think you will find that Russia, at least, can produce far better software than the USA and Europe. I don't know about China yet, but I wouldn't underestimate its resources either.
American (and Western in general) software has tended to conform to "commercial realities". For ten years I analyzed software products and standards for a large multinational computer corporation, and for a further 20 years I have continued that interest. And one of the most obvious patterns I noticed was that companies that have brilliant ideas and focus on quality are usually either driven out of business or acquired (basically to get rid of them). In the West, it's huge monsters like Microsoft and Oracle, and to a lesser degree HP and IBM, that rule the roost, and they are very clear about their priorities. Long-term profit first, growth second, image third, with customer satisfaction and product quality so far down the list they are almost invisible.
>>Is it really that difficult?
Nah, it's a fairly simple operation. Unlike McAffee where I had to download and run a (well-hidden) executable from their website to get rid of their bloody "1 month free" install from a shop-bought laptop. :/
But seriously, it can be a pretty big headache in Enterprise. You've got to arrange its removal from x hundred PCs in your organization, you've got to find the budget and organize purchase orders of a replacement, deal with any process changes for distributing updates centrally to whatever new virus vendor you choose. And the necessary meetings, of course. ;)
Basically, US government has just handed down one more PITA to the busy sysadmins of America. For (I strongly suspect) political point scoring. Or perhaps just a quick buck for American AV vendors. Who knows? :/
But seriously, it can be a pretty big headache in Enterprise. You've got to arrange its removal from x hundred PCs in your organization, you've got to find the budget and organize purchase orders of a replacement, deal with any process changes for distributing updates centrally to whatever new virus vendor you choose. And the necessary meetings, of course. ;)
Let's see... the last place I worked managed about 8,000 pc's. Desktop Engineering took the version of Windows to be used, removed all BS that the company didn't want (such as games, AOHell, etc.) and then loaded in the stuff they did want like Office, certain proprietary programs. This became the master. A copy was sent to the company selling us new PC's and all PC's were imaged from the master. Anytime an employee left the company, their PC's was re-imaged for the next user. If a user has some serious PC issues, many times, a simple re-install from the master OS solved the issues.
Sure. But re-imaging isn't always convenient and would you really be happy if you suddenly found you had to re-image all 8,000 PCs in your organization? :) Plus, there are the other issues I mentioned. Yep, I stand by my calling this a PITA for Enterprise.
And the contract with HPE didn't include uninstalling software so they need to negotiate a deal, which will strangely cost more than the original windows install.
In house staff couldn't do the uninstall because that would violate the warranty and anyway they were all downsized when support was outsourced to HPE
"Unlike McAffee where I had to download and run a (well-hidden) executable from their website to get rid of their bloody "1 month free" install from a shop-bought laptop. :/"
Bollocks. I'm a unix sysadmin and even I know that a browse through the reg keys (from memory - my laptop runs Arch Linux) HKLM\software\microsoft\windows\currentversion\uninstall will give you the uninstall string for any .msi based software. Failing that you stop services, kill processes, delete directories and plough through the registry. A few reboots might be required but it isn't rocket science.
... and McAfee has one fucking f. Oh and add/remove programs has an uninstaller link anyway, even for the free version - you've cocked up in some way if you think you need an additional "cleaner" - which they even provide.
OK I may have spent one or twenty years doing Windows sysadmining as well.
It's not "bollocks". I had to remove McAfee from someone's shop-bought laptop years ago. Around six years ago? Firstly, Add / Remove programs didn't allow the removal of McAfee. They'd blocked that somehow. And your suggestion of searching the registry, manually killing processes, deleting install and operating directories and "a few reboots" is 'all that is required' isn't really making much of a case for removing McAfee being "not rocket science".
Seriously - why so angry?
> Is it really that difficult?
Hmmm, let's see....
90 days to remove Kaspersky ... no problem.
It's now September. Departmental budgets for the next financial year are just about being submitted now. So, choose a project to sacrifice (unless the DHS are offering new money - I thought not); move the 'New Anti-Virus' project to the front of the queue; assume approval is a no-brainer, in which case the project will be ready to roll come April, at the start of the new financial year. I confidently expect the replacement AV to be rolled-out and working by 1st August 2018.
;-)
Even if DHS (or whoever) reviews the source code, that's no guarantee that what's installed was built from that source code. In order for the source code review to be meaningful, DHS would have to build the executables and installers from that source code and create an internal distribution. They would also have to review and host all virus pattern definition files (or whatever) that are pushed to the PCs periodically.
A project like that undertaken by the gubmint would take many years and cost thousands of lives....
Honestly, I think Eugene Kaspersky would be mad to provide the Source Code to the USA. Remember that Kaspersky Labs exposed both the Equation Group (NSA) and Stuxnet (Israeli and USA targeted malware), so it's not like we can assume neutrality by the US government. Indeed, the Equation Group has attempted to penetrate Kaspersky Labs before. So Game Theory perspective we have the following possibilities:
1) Kaspersky software has sneaky backdoors in it.
2) Kaspersky software does not.
If it's #1 then obviously it's not in Kaspersky's interests to share source code. (Though you're right - proving executables match the source is a non-trivial task, I fully agree).
If it's #2 then Kaspersky knows that they are innocent and that this is likely for ulterior motives. In which case providing the source will only be giving away something of value for little likelihood of fair treatment.
So basically, there's no good reason for them to share source code. I suppose they might - because I suspect it's clean - but they'd have to be very optimistic to do so. And given the last hundred years of Russian history, I salute any Russian who is somehow an optimist. ;)
I'm not saying it's easy or ideal, but it's entirely possible.
I'm not familiar with Kaspersky, but most AV's have the core product, the engine and definitions split out. Checksums for the base software matching what the DHS had from their compiled version is easy enough.
Depending on how often the engine updates, it's pretty easy to do the same. Could be as simple as a special version for us.gov, code reviewed where engine updates are done by updating from a us.gov update server, where Kaspersky ping the source for us.gov to compile. Release notes and code audit is possible, just means us.gov may have delays in the latest engine, but it's certainly possible.
Definition updates are much harder to review in a timely manner, but surely have the source for todays definitions that have been reviewed as a starting point, then when a definition updates, Kaspersky send us.gov the compiled new definition, plus source, plus change notes. Us.gov compiles and checks it matches the checksum of the public definitions, and if us.gov make the same changes that Kaspersky detail in the change record and it also matches you're certain you know the source / compiled / public releases are all the same and you know it's all clean.
That plus ad-hoc full audits would probably do it.
I'm sure that's a very crude, inefficient and basic suggestion as I'm an infrastructure guy, not a developer. But if I can come up with the above - albeit crap - solution where I'm far from qualified to come up with anything, then I'm sure the brightest and best developers in Russia and US can come up with something solid. I dare say that the development inclined pros reading El Reg can come up with a proper solution in a matter of minutes.
So some of you seem to be saying that a Government has no right or obligation to protect itself?
That it should naively trust a company with roots in the soil of a perpetual sworn avowed enemy?
No doubt the greater number of those with that opinion have also felt free and justified in snickering at those same Governments for their lax security and now that they are waking up, so to speak, they're still wrong, only more so?
K, as do most others, "phone home" quite often. Oh, not to worry, they are all "checking for updates", that's all.
But who has a packet sniffer going constantly to examine such communication and, further, has the ability to decipher exactly what may be in the transfer?
The real world is filled with people with very specific interests. And, for the most part, not "your best", but theirs.