back to article NSA bloke used backdoored MS Office key-gen, exposed secret exploits – Kaspersky

The NSA staffer who took home top-secret US government spyware installed a backdoored key generator for a pirated copy of Microsoft Office on his PC – exposing the confidential cyber-weapons on the computer to hackers. That's according to Kaspersky Lab, which today published a report detailing, in its view, how miscreants …

  1. Anonymous Coward
    Mushroom

    Oooooh, really?!?!?

    Later, once reactivated, Kaspersky's software searched the machine as usual, removed the trojanized key-gen tool, found the secret NSA code during the scan, and uploaded it to Kaspersky's cloud for further study by staff.

    Whose staff? I contemplate this question in wonderment.

    And this upload to Kaspersky's cloud was 100% immune, and unrelated to, the GRU, or FSB.

    Da, Tovarisch!

    Who wrote Kaspersky's report? Kellyanne Conway?

    1. Dazed and Confused

      Re: Oooooh, really?!?!?

      > found the secret NSA code during the scan, and uploaded it to Kaspersky's cloud for further study by staff.

      So you're saying that if your anti-virus SW finds any files which might be of interest to your business abd quickly steals a copy before anyone realises their mistake. Is it only source code you steal or perhaps you upload any photos and videos too.

      1. Anonymous Coward
        FAIL

        Re: Oooooh, really?!?!?

        @Dazed and Confused:

        Try again, this time around with a minimal effort at being coherent. Your first phrase contains subordinate clauses only. There's no main clause.

        Thank you.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oooooh, really?!?!?

          Dazed and Confused

          Does what it says on the tin.

          1. rmason

            Re: Oooooh, really?!?!?

            There's always one per thread with no reading comprehension skills and/or a conspiracy theory mentalist.

            At least we got it out of the way early this time.

      2. Justicesays

        Re: Oooooh, really?!?!?

        Pretty much all the anti-virus vendors do this now, unless you untick the option.

        Microsoft also like copies of any files that crash any of their software, along with the memory dumps. Microsoft Security essentials has a "send file samples automatically when further analysis is required" setting for instance. It's probably ticked by default.

        Obviously the archive would have been full of virus code, so presumably of interest to an anti-virus vendor.

        In any case this is pretty much entirely the NSA's fault. You have to wonder how someone can take *all of your hacking tools* home with them and drops them on their personal computer. You would think a tool kit full of zero days would be a pretty valuable asset and you would ration this stuff out rather than handing it out like candy. And of course the motives of the unnamed NSA operative (who cant even afford an office license apparently) might well be pretty shady.

        1. Yet Another Anonymous coward Silver badge

          Re: Oooooh, really?!?!?

          . You have to wonder how someone can take *all of your hacking tools* home with them and drops them on their personal computer.

          An NSA contractor walking out of the building with unlimited amounts of secret information - inconceivable

        2. td97402

          Re: Oooooh, really?!?!?

          I, for one, always disable the sending of malware samples back to the vendor.

          1. Tom 64
            Facepalm

            Re: Oooooh, really?!?!?

            > "Microsoft also like copies of any files that crash any of their software, along with the memory dumps."

            They must have a lot of copies of their own software sent back to themselves then.

            1. BongoJoe
              Joke

              Re: Oooooh, really?!?!?

              They must have a lot of copies of their own software sent back to themselves then.

              Which may explain why their Office325 and Hotmail/Outlook servers are often down.

              Simply: they're DDOSing themselves.

            2. Col_Panek

              Re: Oooooh, really?!?!?

              > "Microsoft also like copies of any files that crash any of their software, along with the memory dumps."

              That's why the new transoceanic fiber.

        3. BongoJoe

          Re: Oooooh, really?!?!?

          And of course the motives of the unnamed NSA operative (who cant even afford an office license apparently) might well be pretty shady.

          And lives in a bedroom? How high is the fellow in the NSA ranking or don't they pay their agents enough not to live in a bedsit or with their parents?

          1. Sir Runcible Spoon

            Re: Oooooh, really?!?!?

            This machine obviously wasn't a sanctioned NSA device then, so totally not cleared to host sensitive information.

            If it was legit it would have been using a corporate licence for Office.

            The basis for the hearing was interesting though - they only seem interested in determining if Kaspersky should be sent down rather than the root problem which was the loss of sensitive information.

            Another fact – that yet another NSA staffer took top-secret work home and lost it, which is a criminal felony – was outside of the committee's remit, according to Representative Barry Loudermilk (R-GA)

            So their actual remit was to avoid looking too closely at the root cause and to just toe the official line?

            1. CrazyOldCatMan Silver badge

              Re: Oooooh, really?!?!?

              So their actual remit was to avoid looking too closely at the root cause and to just toe the official line?

              The clue is in the name: "Government Committee". Expressly designed to look like "something is being done" without actually doing anything..

            2. Anonymous Coward
              Anonymous Coward

              Re: Oooooh, really?!?!?

              Actually it's no longer a criminal offense if he didn't mean to get it released like this. He was just extremely careless and should not be prosecuted according to recent precedents. Intent matters and as he didn't intend to have it escape from his machine, he can't be held responsible.

      3. CrazyOldCatMan Silver badge

        Re: Oooooh, really?!?!?

        anti-virus SW finds any files which might be of interest to your business abd quickly steals a copy before anyone realises their mistake

        Sigh.

        I'll use short words - the software by default is configured to upload malware samples for analysis. Almost all AV software also does the same.

        The ex-NSA muppet didn't turn that feature off.

        Now do you get it?

        (I've no axe to grind with Kaspersky - I've used it in previous jobs. Not always the best and somewhat resource-intensive, but a long, long way from the worst)

      4. Madeye

        Re: Turning it off

        Absolutely. The hashes for the source code will be totally different to the hashes for the software in the wild (which Kaspersky has a legitimate interest in and will have seen before). There is not way to tell the code is related to the binaries without compiling it. So if Kaspersky takes this source code without asking, it probably takes ALL source code for good measure. Or maybe only if it says TOP SECRET in the header

        1. Kiwi
          Mushroom

          Re: Turning it off

          Or maybe only if it says TOP SECRET in the header

          Or may, just maybe, as has been pointed out numerous times in this thread, the archive contained COMPILED BINARIES as well as source material, and it was the COMPILED BINARIES that triggered the alert? Or maybe, just maybe, as has also been pointed out here, certain content that is the same between COMPILED AND SOURCE (eg URLs) was detected, and triggered the alert?

          But no, fuckwits with too few braincells to walk and chew gum at the same time gotta target them coz Russians bad and yanks good, right?

          1. Madeye

            Re: Turning it off

            Ok, so you've made a great big zip file with your source and your binaries of the NSA tools. You've taken them home in a single lump for convenience. As a result this single archive, which probably runs to hundreds of meg if not gigabytes, matches a known signature. So you are stating that it's ok for Kaspersky to upload this file to their servers without asking? Does it do this for ALL files that match signatures or just those that match NSA signatures?

            My point was that just because they identify binaries that match signatures, it gives them no right to upload unrelated items. Or upload anything without asking. Makes no difference if it's in an archive or as separate files on the file system.

            PS. I have no view on Russia vs US. However I do have a dim view of all anti-virus software companies and refuse to use them. Their software is only marginally better than the viruses themselves: you can pay them in dollars and don't have to fish around for bitcoin

            1. Kiwi
              FAIL

              Re: Turning it off

              Ok, so you've made a great big zip file with your source and your binaries of the NSA tools. You've taken them home in a single lump for convenience. As a result this single archive, which probably runs to hundreds of meg if not gigabytes, matches a known signature.

              Actually most malware isn't very big. You can have a few hundred samples in a couple of MB. We are not told how many samples were in the zip file so you can have your terrabytes of data, I'll say it was 2 samples and 2 bits of source, totally 100kb, zipped down to 50kb. It's probably somewhere a bit more than my guess but far less than yours. Let's go for 10mb, the upper limit Google will allow for email. That's not really big, but you can fit a ton of text in there. I have a full height 5mb MFM HDD sitting around somewhere, for it's original owner they probably had OS, programs and data on there, and probably paid several $hundred for it as well.

              10Mb wouldn't be much. For many people with today's HDD sizes and internet speeds, 100Mb wouldn't be much - I can (when at a mates) download HD movies faster than I can watch them, and we don't notice much. On ADSL 2 people can stream HD movies. 100Mb is nothing by today's standards. Shall we go for a full series? I have a copy of Babylon 5 (all eps, movies and also the Crusades series) that is a little over 50Gb - took a couple of days for that to come down over ADSL.

              So you are stating that it's ok for Kaspersky to upload this file to their servers without asking? Does it do this for ALL files that match signatures or just those that match NSA signatures?

              If you knew anything about standards for AV you'd know that yes, for any new variant of a known strain, or something that is a heuristic match (Thunderbyte AV did heuristic matching back when 386's were still quite common) but does not match known malware, then yes, it is standard practice for a sample to be sent off to the AV company. If that file is part of a larger archive, then the entire archive is suspect and thus is sent (how can they tell it's not a largely suspect archive unless they look deeper?). You can turn this off, but IME it is the default setting for normal AV software. Kaspy does it, MSSE/WD does it, I think I can safely assume Symantec products do it. In fact I can say with some assurance that Avast, AVG, ESET, Fortinet, Kaspersky Lab, McAfee, Microsoft, Sophos, Symantec, Trend Micro, Vipre, and Webroot all send data up to home base, and some don't allow you to opt out (I do have an issue with doing it without giving you the chance to say no, but I don't have a problem with it being the default - users should be notified of this behaviour during installation I agree).

              This is how new threats are detected so outbreaks can (hopefully) be stopped sooner, perhaps so the AV company can be "first" to find it, etc. Without samples of new strains, the AV companies cannot a) work out what they do and b) work on a way to stop/clean/prevent infection. If you stop the AV companies getting samples of new malware you stop the AV companies.

              My point was that just because they identify binaries that match signatures, it gives them no right to upload unrelated items. Or upload anything without asking. Makes no difference if it's in an archive or as separate files on the file system

              If you don't want them to have that right, don't ask them to run on your system. It's pretty simple that even someone like yourself has at least a slim chance of grasping the concept.

              However I do have a dim view of all anti-virus software companies and refuse to use them.

              Going off your posts, I have to wonder if "dim" is the operative word? Run an online Windows? You need protection.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oooooh, really?!?!?

      I read your subject line in the voice and mannerisms of Jim Carrey as Ace Ventura.

      1. Anonymous Coward
        Angel

        Re: Oooooh, really?!?!?

        > I read your subject line in the voice and mannerisms of Jim Carrey as Ace Ventura.

        That's very accurate. Thank you.

    3. John Smith 19 Gold badge
      Coat

      "Who wrote Kaspersky's report? Kellyanne Conway?"

      Kellyanne Conway can write?

      Pix or it didn't happen.

    4. Anonymous Coward
      Anonymous Coward

      Re: Oooooh, really?!?!?

      A Keygen for MS Office?

      What the heck was he installing OFF2007?

      We need an activation routine now OFF2010 and beyond...

      This makes no sense...

      1. Kiwi
        Windows

        Re: Oooooh, really?!?!?

        We need an activation routine now OFF2010 and beyond...

        Are you sure about that? Really?

        Oh? Well what about everyone else? Especially those who've got experience at hunting for software+keygen on torrent sites?

        (I have seen functional "keygen" tools for Orifice 2k10, most of but not all tripped AV and the ones that didn't trip AV appeared to act like they were perfectly fine. The customer was also told that their keygen was deleted as part of our normal cleanup processes (MSSE (never before noticed it sounds almost exactly like "messy"...) picked ALL keygens for MS software as malware. Also did the same for any files that were text with lists of keys in them IIRC, so not proof the keygens were harmful but definitely (as far as MS is concerned) fall into the "unwanted program" camp). (have I used enough ")" to be mathematically correct?))")")"?

  2. Anonymous Coward
    Big Brother

    Highly confidential Windows PC ..

    "highly confidential software exploits from the NSA employee's bedroom Windows PC"

    Highly confidential and Windows PC don't go together.

    1. Anonymous Coward
      Anonymous Coward

      Re: Highly confidential Windows PC ..

      As any NSA employee should already know. I mean, they've taken their malware (likely for Windows OS) home to a Windows PC and it went walkies courtesy of an OS they know to not be secure not being secure. FFS. I want to believe this was some sort of deliberate honeypot type action but I'm inclined to simply believe it was the actions of a fucking idiot.

  3. Jared Vanderbilt

    He's hosed.

    That spook was running bootleg Office. Black choppers from Redmond are en route.

    1. fobobob

      Re: He's hosed.

      Redmond vs Alphabet Soup: The Cage Match.

      1. h4rm0ny

        Re: He's hosed.

        Microsoft are old school. There's none of this Google / Facebook / Twitter desire to control opinions or the media or pretend to the The Good Guy... They just want money. All of it. Everywhere. They will do anything to get it. Even on occasion, if it's necessary, protecting your privacy. In an age of Google, there's something endearing about Microsoft's more Old School brand of evil.

        1. Kiwi
          Trollface

          Re: He's hosed.

          Even on occasion, if it's necessary, protecting your privacy.

          Actually I don't think they're that desperate for money.

          1. h4rm0ny

            Re: He's hosed.

            >>Actually I don't think they're that desperate for money.

            I know that you're trolling (the troll icon gives it away!), but seriously - Microsoft have been fighting an expensive and ongoing legal action against the US government to prevent them being able to access Azure data in their Ireland data centres. They've been doing so because they know allowing this would be a big blow to their sales in Europe. As I said, if there's money involved, they'll even stoop to doing the right thing if they have to.

            1. Kiwi
              Coat

              Re: He's hosed.

              As I said, if there's money involved, they'll even stoop to doing the right thing if they have to.

              Right thing done for wrong motives = still right thing gets done :)

              (No, the end does not always justify the means, but sometimes we don't need to worry about the motivation if good stuff gets done and no one gets hurt).

              That said.. If MS is doing something, even for money, I have to re-check my own mental alignment to make sure something really is "right" when it's the same as what MS is doing.

              Been a long day. I should be in bed I think. Night.

              1. Mark 65

                Re: He's hosed.

                You might also want to wonder whether the resistance is in order to distract from something more untoward happening elsewhere. Just saying.

    2. Pascal Monett Silver badge

      Re: He's hosed.

      Indeed, I found that little line in the article very interesting as well.

      A "security" contractor who 1) takes confidential data out of NSA premises without authorization and 2) uses a malware-infested cracker to unlock an unregistered copy of Office without wondering what might go wrong.

      And those are the goons allowed to spy on us. If that's how smart they are, no wonder Russia can pilot US elections.

      1. phuzz Silver badge

        Re: He's hosed.

        Not to mention that this chuckle head had apparently never heard of LibreOffice/OpenOffice. How can you work in IT and not realise that there's better options than downloading a pirated version of Office?

  4. Sureo

    How is Kaspersky recognizing NSA source code anyway?

    1. Florida1920

      How is Kaspersky recognizing NSA source code anyway?
      Based on what we know, they probably put this comment at the top:

      # VERY SECRET NSA SOURCE CODE.

      # DO NOT READ THIS. IT IS VERY SECRET.

      1. BongoJoe

        Based on what we know, they probably put this comment at the top:

        # VERY SECRET NSA SOURCE CODE.

        # DO NOT READ THIS. IT IS VERY SECRET.

        What? No line numbers and REM statements?

        1. Anonymous Coward
          Anonymous Coward

          What? No line numbers and REM statements?

          That's lower down, just after the GOTO lines :)

    2. katgod

      Don't you think people who look at viruses and malware for a living can tell who the professionals are and who run of the mill coders are.

    3. Anonymous Coward
      Anonymous Coward

      How is Kaspersky recognizing NSA source code anyway?

      Ah, the old nemesis "comprehensive reading" rises again.

      From the article: "The antivirus duly deleted the Mokes malware, but also found several new types of NSA code – which appeared to be similar to the agency's Equation Group weapons that Kaspersky was already familiar with – which were pinged back to Russian servers for analysis."

      Kaspersky went public with this in 2015, greatly annoying the NSA.

      That is IMHO what is really behind the anti-Kaspersky thing: they keep showing up the NSA and other spy agencies by catching their spyware. Unless they get Kaspersky off the market, the NSA will forever have a problem spying on users and would potentially have to be exclusively rely on what Microsoft slurps. As we know, single supplier strategies are never a good idea from a resilience perspective, and that goes for spy agencies as much as companies.

      Kaspersky's strategy is good here: transparency is good. Verified transparency is even better, but that creates a question in itself: who would you trust? I'd get Ross Anderson involved, but I'm not even sure he'd do work like that (and I'm not sure the UK spy agencies would be happy with him wandering into Russia either)..

      1. Anonymous Coward
        FAIL

        Kaspersky's transparency strategy

        > Kaspersky's strategy is good here: transparency is good.

        Lots of unconditional love for the Russian FSB on this board.

        Yep. Very good strategy. Kaspersky AV transparently spies on you.

        You don't even have to go to Russia to find out what Kaspersky has been up to. It's all public.

        For starters, Eugene Kaspersky attended the KGB School as a teenager. He then went on to work for the GRU. That's good, because the KGB and the GRU always have your best interests at heart.

        Then Kaspersky had a change of heart, and became an Internet Freedom Fighter. He totally broke off any previous connections to the KGB or the GRU. How do I know this? Because Kasperksy himself said so, many times.

        Kaspersky AV has been known to be a FSB-sponsored spyware tool at least since 2012. But no, it's the very best AV one could install on their Windows PC. Transparency and all that. Delusion said so.

        Whenever I think of the KGB, what is the first word that springs to my feeble mind? Transparency.

        NSA spying on your files: BAD. FSB spying on your files: GOOD.

        Is that the idea here?

        1. Anonymous Coward
          Anonymous Coward

          Re: Kaspersky's transparency strategy

          "NSA spying on your files: BAD. FSB spying on your files: GOOD.

          Is that the idea here?"

          No. Or at least partially no.

          NSA wants to collect everything from everybody, including me. They've said that in public so I'm assuming it's true.

          FSB has totally different approch: Only interesting individuals and/or companies are spied on and even then not _everything_ is "collected" as NSA says.

          Being a basically non-interesting entity I'd choose FSB over NSA any day and it has nothing to do with politics.

          This assuming Kaspersky is a FSB front end and unless there's some proof of that, I'll doubt it. Too transparent for that. Or masters of disguise, your choise.

          Founder being schooled by FSB isn't a surprise, probably best available school for cyber warfare and viruses Russia has.

          By that logic it's funny thing that no-one has bothered to analyze connections between NSA and let's say McAfee. I'll bet same schools can be found at some point.

          Too obvious?

          1. Anonymous Coward
            Anonymous Coward

            Re: Kaspersky's transparency strategy

            FSB has totally different approch: Only interesting individuals and/or companies are spied on and even then not _everything_ is "collected" as NSA says.

            Being a basically non-interesting entity I'd choose FSB over NSA any day and it has nothing to do with politics.

            You know this for a fact? If anything current lack of infrastructure would be the FSB's only reason for not collecting everything. That and them not having a ?-eyes group to feed them with information of which one notable member (UK) sits at the juncture of most of the planet's comms traffic. They also run a great business in tapping undersea cables.

            Look at the map here (https://www.submarinecablemap.com) and see why the 5-eyes members might be who they are.

            Also, you only think you're a non-interesting entity. Maybe you are, maybe you aren't.

            Out of the two I think I'd prefer neither.

    4. Doctor Syntax Silver badge

      "How is Kaspersky recognizing NSA source code anyway?"

      It's malware. Detecting malware is what Kaspersky does for a living. Why would you expect them not to detect it?

      1. DropBear

        "It's malware."

        No. It's a bunch of non-executable letters. Source code. I'd also like to know what business an antivirus may have with bits that it determines do not contain binary, runnable code.

        1. Frank Bitterlich

          RTFA

          No. It's a 7zip archive full of malware - source code, executables, libraries, resources.

          If that wouldn't trigger even the most simple hash-based malware detection, anti-malware would be useless.

        2. h4rm0ny

          Not all malware is compiled software. There are plenty of scripts that constitute malware. I could write you a trojan in Bash right now if I wanted. Also, it said it uploaded infected zip files. So for example, I have project folders that contain both source code and compiled executables which, if I were transferring, I would zip up to export.

        3. Doctor Syntax Silver badge

          "No. It's a bunch of non-executable letters. Source code."

          From TFA (my emphasis):

          "The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware."

          I read this as indicating that the archive contained both binaries and source and that it was the binaries that triggered the detection and subsequent upload of the entire archive. No need for the AV to have recognised the source.

    5. Roland6 Silver badge

      How is Kaspersky recognizing NSA source code anyway?

      Simple, source code and scripts (ie. human readable executables) will contain many of the same strings eg. certificates, passwords, URLs etc. that get compiled into binaries. So if you are doing a full system deep scan (ie. don't trust the file extension and scan everything), an AV scan may well detect these and flag the file as suspect.

    6. Paul 129

      "How is Kaspersky recognizing NSA source code anyway?"

      Um a 7z archive, how many times when you download the source for windows do you actually also download the executable?

      Expand that looking for virus, find a virus by checksum, upload the offending archive. I would have thought that was standard operating procedure, unless there

      On examination the archive also contains the source. Analyst gets to eyeball it as its Equation group. Someones been hit by the NSA.

      All predictable, and all too plausible.

      As to what happened after that? Would you tell the NSA that their code has escaped? Would you if you were a Russian?

  5. Florida1920
    Facepalm

    Wait a minute

    An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run? Oh, that shouldn't have set off any alarms in his/her head! I wouldn't give that idiot access to the road leading to the parking lot. With brain donors like this working in our security agencies, we might as well hand Putin the keys to the country and start learning Russian.

    1. ecofeco Silver badge

      Re: Wait a minute

      This. Right here.

      1. Yet Another Anonymous coward Silver badge

        Re: Wait a minute

        The only defence against totalitarianism is the basic incompetence of the security services (on all sides)

    2. a_yank_lurker

      Re: Wait a minute

      And the NSA is most competent spookhaus around, heaven help us if that is true. I wonder if they can add 1 + 1 and get anywhere near the right order of magnitude.

      1. Anonymous Coward
        Anonymous Coward

        Re: 1 + 1

        Let's have a = 1 and b = 1

        So a = b

        Multiply both sides by a and have a^{2} = ab

        Now subtract b^{2} from both sides to get a^2 - b^2 = ab - b^2

        Factorise both sides to get (a + b)(a - b) = (a - b)

        Divide both sides by (a - b) and we get a + b = 1 .

        Because a and b have both a value of 1, then... 1 + 1 = 1

        1. Anonymous Coward
          Anonymous Coward

          Re: 1 + 1

          Divide both sides by (a - b) and we get a + b = 1

          Yeah. Sure. It's a shame that division by zero is exclusively reserved by God for creating black holes :)

        2. Cederic Silver badge

          Re: 1 + 1

          "Factorise both sides to get (a + b)(a - b) = (a - b)"

          Hmm, no. You get (a+b)(a-b)=(b+1)(a-b) which means that after dividing by (a-b) you end up with a+b=b+1. Or 2 = 2.

    3. Anonymous Coward
      Devil

      Re: Wait a minute

      > An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run?

      This is Kaspersky's version of events, and I do not find it believable.

      In the US, running bootleg copies of software is illegal. Yes, a lot of people do it, relying on "I won't get caught". But for a federal employee, or contractor, the situation is much more serious than for the average Joe.

      The story with the MS Office crack sounds a lot like a smokescreen.

      What is not clear at all is (a) the sequence of events and (b) the connection between the install of the NSA snooping software and the MS Office key crack.

      According to Kaspersky, its anti-virus was disabled for the purpose of allowing the installation of the MS Office key crack. It follows that before this install, Kasperky anti-virus was running on this computer.

      If Kaspersky has the ability to detect the NSA snooping tools, then the detection of these tools would have occurred as soon as the tools were copied to/installed on that laptop/desktop. Independently of the MS Office key crack. This makes the whole tangent about the MS Office key crack pointless.

      Which begs the question: how does Kaspersky know what to look for, and upload their find to Russia? I bet they don't upload random pictures of pets or landscapes. This is where the sequence of events - as explained by Kaspersky - breaks down. Along with the implication that a NSA employee who has access to these tools is careless or dumb enough to install them on a Windows personal computer at home that is under constant monitoring by Kaspersky.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wait a minute

        No, I find this very believable. I have worked with "security professionals" who have done exactly this. The history of collection is full of clever people who thought that they were too smart to be caught by dumb systems.

        1. Richard Jones 1
          FAIL

          Re: Wait a minute

          Yes some people are not the brightest sparklers in the firework box. I well remember the case of a employee of the month(?) who became an ex-employee when found to be running phone frauds and illicit activities within 6 weeks of being employed on 'security and anti terrorism' in an 'overseas location'. Whoever organised his recruitment and vetting copped a fizzer for that embarrassing fiasco. Happily no major harm was caused in that case.

      2. eldakka

        Re: Wait a minute

        This makes the whole tangent about the MS Office key crack pointless.

        The point is that the malware installed by the Office keygen could have been the vector for someone other than Kaspersky getting access to the computer to obtain the NSA malware on it.

        how does Kaspersky know what to look for, and upload their find to Russia?

        Because hacking tools are usually suites that are built up over time, based on earlier revisions, enhanced, added to, and so on. Therefore, as with any suite, they often have common libraries, common blocks of code (so even if not a library, a copy-paste of working exploits from an older version into the newer version) and so on.

        Linguistic analysis can quite accurately tell who wrote a post, or series of posts, of novels, essays and so on. Everyone has their own style, grammar, punctuation usage, same repeated spelling errors and whatnot.

        The exact same thing applies to programming. Someone could have a favourite error routine that they've developed over years and reuse in new code rather than writing it from scratch - or using someone else's. The number of spaces/tabs used in indentation, language used in comments, variable/function/class naming styles, all can be used to determine who wrote a piece of code.

        Since Kaspersky had earlier samples of NSA malware/exploits, they already have a library of those common routines, styles, and so on to search for. So if they find a file that has a chunk of known code (e.g. still using same exploit_0345 library in the new stuff, or an entire code chunk is the same as a sample they already have - but the rest is different) then any virus scanner worth it's name will flag that as a suspect file. And if the user has enabled (or rather, hasn't disabled) the "send suspicious code back to mothership for further analysis" option that most modern AV have - Kaspersky, ESET, Symantec, Windows Defender, and most of the other big-name ones - then that file, and 'surrounding' files, e.g. an entire zip archive if it finds suspicious files in the archive - will be sent back.

      3. Anonymous Coward
        Anonymous Coward

        Re: Wait a minute

        Sigh....When you run an AV scan, it will scan basically all the files in the areas you tell it to scan, executables, plain files, and compressed archives, the lot. Because Malware isn't always simple and may hide and have helper files etc. Kaspersky also uses heuristics and scans for likely malicious but not yet identified files; and that uses their experience with malware over the years. As they are familiar with earlier "Equation Group" malware, they probably look for files with similar characteristics. With the users permission they upload known and suspected malicious files for further analysis.

        This is all absolutely standard for almost all AV products and hardly a cause for any suspicions specifically directed at Kaspersky. Of course it's all the "RUSSIA, RUSSIA, RUSSIA" hysteria in the USA that makes this such a meme.

        Of course, knowing what we know and if we believe that AV products are snooping on us, one would certainly want to avoid any US based AV as they are certainly cooperating with NSA and others to actively snoop on you. Maybe use Finnish or Swiss based products - if they are snooping their secret services seem a little less likely to care what you may or may not do.

        1. Roland6 Silver badge

          Re: Wait a minute

          Sigh....When you run an AV scan, it will scan basically all the files in the areas you tell it to scan, executables, plain files, and compressed archives, the lot.

          However, many AV's mostly do a simple/quick scan focusing on program files as designated by their extension, in this mode archive files (ie. zip files) tend to be skipped. Only when I do a full scan will the AV look inside an archive file.

          Hence I can install an archive file containing interesting material, open it, extract and open source and text files from within it and not have the AV flag anything - however if I copy a file with an executable extension out of the archive into a filesystem folder then this will get scanned in real-time and get flagged.

          I get this all the time with the Nirsoft tools, hence now I have a folder where I permit these tools to be installed and prompt to enable their execution.

          So the reason the NSA toolkit was on the computer and the AV hadn't detected it was because, the user, up to the time they had cause to do a full system scan, had not given Kaspersky any reason to fully scan the archive.

      4. Kiwi
        FAIL

        Re: Wait a minute

        If Kaspersky has the ability to detect the NSA snooping tools, then the detection of these tools would have occurred as soon as the tools were copied to/installed on that laptop/desktop. Independently of the MS Office key crack. This makes the whole tangent about the MS Office key crack pointless.

        You do realise that one can install two OR MORE bits of software/data on a computer at one time, right? Or is that beyond your comprehension?

        TFA says that Kaspersky was disabled on the machine for some weeks. I could install whole terrabytes of data in that time! Imagine! Incredible!

        Which begs the question: how does Kaspersky know what to look for, and upload their find to Russia?

        If you don't know how AV software works, you might want to skip commenting on articles about it. Maybe reading the article again would give you a few clues, but I suspect you're a bit beyond that.

      5. Anonymous Coward
        Anonymous Coward

        Re: Wait a minute

        "In the US, running bootleg copies of software is illegal."

        So?

        If you thing anyone else cares, you have a major disconnection from reality.

        Even NSA subcontractors won't give a hoot. That's the most believable part of whole story and in par with any observable reality.

        "Along with the implication that a NSA employee who has access to these tools is careless or dumb enough to install them on a Windows personal computer at home "

        That's exactly what people do. I see commenter has never worked in IT support: No-one can even imagine how stupid things educated employees do. All the time.

    4. Anonymous Coward
      Anonymous Coward

      Re: Wait a minute

      "An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run?"

      Sounds like senior management to me.

    5. This post has been deleted by its author

    6. Doctor Syntax Silver badge

      Re: Wait a minute

      "An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run?"

      It's a conspiracy versus cock-up moment. Was he really that stupid or was this a sting operation with some chickenfeed to justify blacklisting Kaspersky?

      1. h4rm0ny

        Re: Wait a minute

        >>It's a conspiracy versus cock-up moment. Was he really that stupid or was this a sting operation with some chickenfeed to justify blacklisting Kaspersky?

        Given that this took place some time ago and that exploits have real value, I'm going to go with it being an error that they are opportunistically capitalising on. When life gives you lemons, sort-of-thing.

        NSA/USA don't really need real events to attack foreign powers over. With a compliant media and the inability of people to question your version (because it's all cloak-and-dagger take our word for it subject matter). I doubt they'd sacrifice real value for planning ahead a mud-slinging exercise two years in advance. When they can get as much effect just with the CIA saying "Russia hacked our election. We have evidence" on demand.

      2. mbck

        Re: Wait a minute

        That corrupted home machine full of pretend NSA malware looks like a honeypot to me. Tempt Kaspersky, have them upload, use as infection vector.

        Hence the deletion (from normal analysis environment). After the above was confirmed.

        Spy vs. Spy.

    7. Kiwi
      Coat

      Re: Wait a minute

      With brain donors like this

      I don't think there's much risk of that TBH.

  6. Mark 85
    Black Helicopters

    I'm wondering if the NSA spyware wasn't preinstalled on the computer by the NSA to keep track of employees and what they're up to. After Snowden's revelations and the damage it did to them, I wouldn't be surprised.

    We really need a tinfoil hat icon.

    1. katgod

      Interesting idea Mark 85

    2. Sir Runcible Spoon
      Facepalm

      I'm wondering if the NSA spyware wasn't preinstalled on the computer by the NSA to keep track of employees and what they're up to

      You mean just like a licenced copy of Office?

      1. Anonymous Coward
        Anonymous Coward

        I'm wondering if the NSA spyware wasn't preinstalled on the computer by the NSA to keep track of employees and what they're up to

        You mean just like a licenced copy of Office?

        LOL. Quiet day?

        :)

        1. Sir Runcible Spoon

          Quiet day?

          Conference calls all day :/

  7. TReko
    Black Helicopters

    Tinfoil hat time?

    Maybe I'm just suspicious, but the NSA is pissed off with Kaspersky for detecting its exploits.

    It can control US ane EU based vendors and "persuade" them not to detect NSA exploits, but being Russian, Kaspersky is out of NSA's control. Perhaps this ban is a way of making an example out of those who don't toe the line, or perhaps I'm just paranoid?

    1. FuzzyWuzzys
      Thumb Up

      Re: Tinfoil hat time?

      "perhaps I'm just paranoid?"

      Nope, just very, very realistic!

    2. Pascal Monett Silver badge
      Trollface

      Re: perhaps I'm just paranoid?

      Yes, you are.

      Doesn't mean that you're wrong, though.

      1. Anonymous Coward
        Anonymous Coward

        Re: perhaps I'm just paranoid?

        When I was young I was always told I was being paranoid.

        In hindsight I realised (too late for my sanity) that I was quite right in most of my assessments and that the people accusing me of being paranoid were the very ones pissing up my back.

      2. Doctor Syntax Silver badge

        Re: perhaps I'm just paranoid?

        "Doesn't mean that you're wrong, though."

        Nor that they're not out to get him.

    3. Anonymous Coward
      Anonymous Coward

      Re: Tinfoil hat time?

      "It can control US and EU based vendors"

      UK-based yes, others questionable or no. No legal leverage and outside of NATO very little political/military leverage.

      Finnish F-Secure got some negative publicity in US and positive elsewhere when it found some NSA tools.

      Probably not much used in US so no similar political attacks against it like Kaspersky.

  8. Anonymous Coward
    Anonymous Coward

    FSB needs blenders

    If It comes down to being hacked by NSA or FSB, I'll choose the NSA. NSA never bought $2000 worth of blenders on my credit card.

  9. kain preacher

    So snowden and the rest should just claim they got hacked. Is the contractor going to jail ?

  10. kain preacher

    Ok the cracked version of office smells like BS. Who here has not helped them self to their companies volume licensing for ahem certain MS products. If s/he is mart enough to be a hacker s/he is smart enough to do that. So either that person was targeted or for some reason a non techie got ahold of some hacking tools . Not sure which is worse

    1. bitten

      You think a clever hacker would rather hack his own company (the NSA) rather than a soft target (Microsoft)

    2. FuzzyWuzzys
      Facepalm

      Mate, I've worked with MS admins who didn't realise the VL centre even existed! So I can quite believe someone who is not an MS admin doing something bloody stupid like running a keygen for Office.

      1. I3N
        Coat

        Sure enough, been in meetings where MS was blamed for charging for software was the excuse ... only employment requirement was that you could piss in a cup and pass a lie detector test

    3. Anonymous Coward
      Anonymous Coward

      "Who here has not helped them self to their companies volume licensing for ahem certain MS products."

      On company laptop easy peasy. If it's BYOD, a bit harder and why would anyone working for NSA care a single bit about pirated software?

      You believe someone would come after them? Would anyone believe so? When you are already a professional criminal (spying on people illegally) why would you care as long as your back is secured (by NSA)?

      I really don't know but believable so far.

      Also: This person was turning antivirus off for weeks: That alone tells us the level of intelligence and/or carelessness involved.

  11. Anonymous Coward
    Anonymous Coward

    Kaspersky AV

    Sounding more and more like the way to go.

    PS: I keep all my State Secrets on a 1.44MB floppy under my old National Geographic collection in the basement...

    1. kain preacher

      Re: Kaspersky AV

      Sure and not your porn stash

      1. Paul Crawford Silver badge

        Re: Kaspersky AV

        "Sure and not your porn stash"

        Don’t be ridiculous! Who has a porn stash that can be fitted on a floppy?

        1. deadlockvictim

          ASCII Porn Stash

          Nonsense, my ASCII porn stash fits nicely onto a floppy.

          ASCII character 248 *is* sexy.

        2. Anonymous Coward
          Anonymous Coward

          Re: Kaspersky AV

          Don’t be ridiculous! Who has a porn stash that can be fitted on a floppy?

          If you have a floppy and a porn stash, your stash just ain't that good.

    2. Roland6 Silver badge

      Re: Kaspersky AV

      >PS: I keep all my State Secrets on a 1.44MB floppy under my old National Geographic collection in the basement...

      I assume the State Secrets date from the time when 1.44MB floppies were in common usage and hence it is questionable whether the disk after all this time is actually readable...

  12. MondoMan
    Happy

    The photo looks like Dan Akroyd...

    (letters)

    1. Anonymous Coward
      Anonymous Coward

      Re: The photo looks like Dan Akroyd...

      Steve Bannon, without his liver sticking out.

  13. Anonymous Coward
    Big Brother

    PLA, NSA, KGB, Mossad....

    Someone's botbot will soon be smarting!

  14. Adam 1

    can I just point out

    Mikko's tweet deserves more than 9 hearts or whatever you newfangled kids call them votes of appreciation on the interwebs. Brilliant.

  15. Anonymous Coward
    Facepalm

    <facepalm>

    "Users can configure Kaspersky's software to not send suspicious samples back to Mother Russia for scrutiny, however, in this case, the NSA staffer didn't take that option, allowing the highly sensitive files to escape."

    And these are the people who are allegedly keeping the world safe from criminals? Do you really want incompetents like that snooping around your data?

    1. Wulfhaven

      Re: <facepalm>

      I'd rather have the incompetents than someone competent doing the snooping truth be told.

    2. DropBear

      Re: <facepalm>

      Don't conflate the best or even the average of any organisation with its weakest. It's a classic mistake we humans love to do, slipping into the cosy complacency that considering those we don't like idiots all across the board affords. Not that it would matter much directly for most of us who will never face any TLA personally - but these reassuring assumptions slowly seep into the foundations and end up slipping into how we think of things and ultimately the decisions we make. Just don't. That said, this bloke was either clearly not part of the best and brightest or made a very, very costly poor judgement call...

      1. Kiwi
        Big Brother

        Re: <facepalm>

        That said, this bloke was either clearly not part of the best and brightest or made a very, very costly poor judgement call...

        Or perhaps, just perhaps, they want people pointing at "NSA incompetence" and laughing.. While the NSA competently has their way with the data.

        (El Reg, another vote for a tin-foil hat icon!)

      2. Anonymous Coward
        Anonymous Coward

        Re: <facepalm>

        "That said, this bloke was either clearly not part of the best and brightest or made a very, very costly poor judgement call..."

        The total recklessness points to upper management. It's always full of people who believe company rules don't apply to them.

        Lowly peons don't dare to do stuff like this, they'll get fired and/or jailed.

  16. John Smith 19 Gold badge
    WTF?

    Is everyones WTFometer going crazy about now?

    NSA supports BYOD?

    NSA OK with Kaspersky as AV solution on BYOD?

    Staffer shuts down AV so they can crack a bootleg copy of Office?

    I think you can see where I'm going with this.

    What the f**k?

    1. Mark 65

      Re: Is everyones WTFometer going crazy about now?

      Not sure it was BYOD. It seems to be more of "take shit home you really shouldn't and store it on your Windows PC". Not like there isn't precedent for shit going missing from their network before.

  17. Mr Sceptical
    Paris Hilton

    Motive?

    What exactly was the NSA staffer going to used said software for anyway? I can't think of any legitimate reason for them to take it home and you certainly wouldn't do dev work on your own PC!

    Perhaps a bit of 'personal research' being done? Were they stalking someone or moonlighting as a corporate espionage contractor?

    Paris - because was this all triggered by an urge in the pants department?

    1. Kiwi
      Boffin

      Re: Motive?

      I can't think of any legitimate reason for them to take it home and you certainly wouldn't do dev work on your own PC!

      Autistic/aspergers types who love/are obsessed with learning about/playing with/coding/defeating malware (delete/add to as appropriate) could quite conceivably want to take stuff home with them for further study. I've known some who get "stuck" on something and that becomes their whole world - they live/breath and even sleep whatever their focus is, and nothing else gets in.

      They also have a tendency not to grasp the rules, or the reasons behind them, and have a tendency to believe they know better and therefore safety rules don't need to apply because they'd spot the malware before the AV and be able to deal with it effectively and therefore are perfectly safe.

      Would also explain the bedroom environment, because a lot of asperger/ADHD types basically live there if they get stuck on computers.

      In all of this, I am speaking from personal experience - not just from people I know but from my own life.

      1. anonymous boring coward Silver badge

        Re: Motive?

        "Autistic/aspergers types who love/are obsessed with learning about/playing with/coding/defeating malware (delete/add to as appropriate) could quite conceivably want to take stuff home with them for further study. I've known some who get "stuck" on something and that becomes their whole world"

        You are just describing any decent dedicated programmer working in a specific field. No different to a dedicated scientist. Just being a sloppy "couldn't-care-less" lazy code grinder is hardly the pinnacle of engineering.

  18. IceC0ld

    maybe ask why NSA runs a Russian AV on its systems at all really ?

    surely, they, of all people are capable of creating their own AV ?

    1. Anonymous Coward
      Anonymous Coward

      maybe ask why NSA runs a Russian AV on its systems at all really ?

      surely, they, of all people are capable of creating their own AV ?

      1 - Kaspersky really is one of the better ones.

      2 - You seem to labour under the same illusion as other people when it comes to hacking vs security.

      That someone is good at breaking in does not mean they're also good at defence in the same way that a burglar may know all the weak spots but may not know the detail of how to correctly deploy the defence mechanisms that would keep him (or her) out. Hackers can show you weaknesses, but they are not the right people to verify that the full picture of all your security measures and associated processes is up to scratch.

      This is also why it amuses me when security outfits advertise that they have retained former staff/management/directors of spy agencies: for anyone competent in these matters (and I think I may occasionally qualify, provided I've had my first coffee) they have just signalled that it is worth avoiding their services because you have no way of knowing why said entities are involved...

  19. PNGuinn
    Pirate

    Wait just a dogone minuite ...

    There's an easy way to prove the veracity or not of all this:

    1. Has a copy been found on Billary's private email server?

    2. Has a copy been found on The Donald's private email server?

  20. Doctor Syntax Silver badge

    Sour grapes

    Kaspersky AV acted just like malware detection systems are intended to. This wasn't just malware, it was NSA malware. It sounds like a pretty good recommendation for anyone in the market.

    If, like the NSA, you're in the business of producing malware you should expect malware detection businesses to be looking out for your work.

  21. Sabot

    "Following a request from the CEO, the archive was deleted from all our systems." Why? Because the CEO is allowed to make such a request?

    1. h4rm0ny

      Yes. If in the routine course of investigating new malware, Joe Programmer realises what they're looking at is a bundle of NSA property, that's going to go right up the chain to the top. Where the CEO will make a decision. It's not a standard occurrence.

  22. Anonymous Coward
    Anonymous Coward

    Lessons learned?

    AV firms & Microsoft like to repatriate data / files they find during scans. Who knows what they send or whether they respect chosen AV settings. So best to use standalone-AV unplugged from the net, and delete install / data files produced during scans (Sysinternals ProcMon-ProcExp help).

  23. John Savard

    Deleting

    Deleting NSA nation-state malware is appropriate, as the United States of America is a democracy. In the case of other countries, such as Russia or China, it would not be, as these countries (that is, their governments) are enemies of human freedom.

    1. h4rm0ny
      Trollface

      Re: Deleting

      In the last US election, Hillary won the popular vote but Trump became president. In the UK more people voted against Blair's last government than for it, and yet he secured a sizeable majority. In Russia, where they have proportional representation, neither of these would be the case.

      Tell me again how the USA is a democracy but Russia is not. Oh wait, it's because of the unbiased media in the USA? Right? Right?

    2. Hollerithevo

      Re: Deleting

      Mr Savard, you so funny!

  24. Anonymous Coward
    Anonymous Coward

    The mere fact Kaspersky can provide such a detailed account

    Shows exactly why they can't be trusted. They know the timeline of everything he was doing with his computer, and with the DEFAULT SETTINGS downloaded the NSA's treasure trove (the presence of which on his computer is on the NSA guy and the NSA itself) I'm sure all this juicy secret info wouldn't be shared with Russian spooks, because obviously is Kaspersky not only not cooperating with them, they wouldn't have a single Russian spook embedded without their knowledge (that was dripping with sarcasm, for those with a totally broken detector)

    Now this doesn't say that other AV vendors are necessarily more trustworthy - the ones based in the US are equally likely to have an overly cozy relationship with US spooks, and/or US spooks secretly working for them too in case they don't have said cozy relationship.

    It is quite easy to see why the US government would not want to use Kaspersky on any of its computers. How are they going to guarantee that every single copy is correctly configured to not download stuff back to Mother Russia where anything interesting is highly likely to end up in the FSB's / Putin's hands? Much better that they use a US company, so that if anything escapes it at least stays inside the US government.

    1. Anonymous Coward
      Anonymous Coward

      Re: The mere fact Kaspersky can provide such a detailed account

      It is quite easy to see why the US government would not want to use Kaspersky on any of its computers.

      To make that argument apply to Kaspersky you need to show that this isn't the default with all the others, and I fear you've lost the high ground at that point. They're all at it, every single one.

      These days there is quite simply NO excuse for not thoroughly checking default settings in applications (as well as Operating Systems), and in most cases rechecking them after an upgrade.

      That said, it's a free world. Feel free to install an alternative product of US origin. Especially if you are NOT a US citizen you may end up a possible problem for an actual one..

    2. John Smith 19 Gold badge
      Unhappy

      "How are they going to guarantee that every single copy is correctly configured"

      Seriously?

      This is the NSA we're talking about.

      Your PC or laptop is GI and should be a standard build, with standard (and tight) security settings.

      If you don't know how it's possible to do that find a grown up and ask them.

      1. Anonymous Coward
        Anonymous Coward

        Re: "How are they going to guarantee that every single copy is correctly configured"

        Yes, all the others do it too but I guess you missed the point that Kaspersky is a Russian company, and some of the competition are US companies. Which is safer for the US government if (or should I say when) files escape due to misconfiguration?

        And to reply to John Smith 19's point, sure the NSA is going to have a standard build and settings will be tight. But do you really think the story will be the same for EVERY government agency? You're crazy if you do, there is tons of inconsistency in US government IT today and it isn't just NSA level secrets you're worried about. You could have the president's health records on a computer at Walter Reed, or US strategies for renewable energy at the DOE, EPA or some other department. There is a lot of stuff that the FSB would be interested in if it falls into their lap courtesy of Kaspersky.

        If some government department uses misconfigured McAfee software and that information gets sent to Intel, the only intelligence organization it will go to is the NSA.

      2. Doctor Syntax Silver badge

        Re: "How are they going to guarantee that every single copy is correctly configured"

        "This is the NSA we're talking about."

        This is some NSA staffer's home computer, not a work computer. Given what he seems to have been up to I doubt he'd venture to ask a grown up.

        It's entertaining to imagine to conversation though:

        "I have a machine at home. I want to install a cracked pirated version of MS Office on it an also play about with some of our own software on it. How do I secure it?"

        "Just come with me to the security office."

      3. Anonymous Coward
        Anonymous Coward

        Re: "How are they going to guarantee that every single copy is correctly configured"

        For what it's worth: Yes.

        For all its shortcomings, MS has produced, and has consistently pushed the use of a centralized command-and-control systems for companies using Windows. So successfully, indeed, that OpenSource has a project/product to integrate with it. It's called Active Directory (AD), the OpenSource compatible one is Samba4

        Plus, for Windows machines involved in such centrally controlled networks, AD provides the ability to push, pull, review settings of about everything in the "leaf" machine (GPO). In over ten years I haven't seen even a medium sized network not using AD and GPO's -- you see, it makes administration easier.

        OBTW, any VPN worth its salt can insist on *not* allowing full access to the Wild Internet, but to restrict accesses to those going through a tunnel tho the Mother Ship.

        -----

        To me, it means that the Kaspersky-equipped PC was very likely under AD control, and that its configuration also was.

        It also means that if you manage to pwn an AD server, that whole network should be rebuilt from scratch.

        Leaves us with a few options, very few of them pointing to a bumbling idiot bringing his work PC home and connecting to an unsecure network.

    3. Doctor Syntax Silver badge

      Re: The mere fact Kaspersky can provide such a detailed account

      "They know the timeline of everything he was doing with his computer, and with the DEFAULT SETTINGS downloaded the NSA's treasure trove (the presence of which on his computer is on the NSA guy and the NSA itself)"

      Could you point out to me just where this timeline or everything is mentioned? All I can see are a few dates when the AV was run and found malware. In fact they specifically say that they don't know when some things happened because the AV was turned off? They also say that an archive containing samples of suspicious material was sent back. This is what AV systems need to do to get early detection of new variants. Given that a supposed security pro dumb enough to get infected didn't turn the default off what chances are there that there'd be enough community-minded folk dumb enough to be infected would turn the early warning system on if it was defaulted to off?

    4. Roland6 Silver badge

      Re: The mere fact Kaspersky can provide such a detailed account

      The mere fact Kaspersky can provide such a detailed account

      Shows exactly why they can't be trusted. They know the timeline of everything he was doing with his computer, and with the DEFAULT SETTINGS downloaded the NSA's treasure trove

      Getting carried away with conspiracy theories; remember the timeline of events was assembled AFTER the event.

      After the event, Kaspersky legitimately had in their possession among other things: the full subscription details of the instance of Kaspersky that discovered the NSA toolkit and the logs retained by the Kaspersky client and uploaded as part of the discovery report. With this information and probably other records of previous scans - accessible through the subscription details, it is possible to build up a sequence of events.

    5. Kiwi
      FAIL

      Re: The mere fact Kaspersky can provide such a detailed account

      and with the DEFAULT SETTINGS downloaded the NSA's treasure trove

      SHOCK HORROR! Antivuris software finds new variant of old malware, uploads sample to base for further research AS IS NORMAL PRACTICE!

      Would much rather a Russia have my data than some yank, esp with the CMIC as HOG at present.

  25. Bucky 2

    So the dude:

    - Stole from his employer

    - Stole from Microsoft

    - Gave up government secrets

    ...but the big deal is the industry-standard functioning of anti-virus software? And is thus the fault of Kaspersky?

    Something doesn't feel right. I'm calling shenanigans on the whole thing as some kind of publicity stunt.

  26. Anonymous Coward
    Anonymous Coward

    911. Just saying, "Nine Eleven".

    "Timeline

    On September 11, 2014, Kaspersky's software detected the Win32.GrayFish.gen trojan on the NSA staffer's PC"

    Coincidence or conspiracy?...

    1. Kiwi
      Big Brother

      Re: 911. Just saying, "Nine Eleven".

      Coincidence or conspiracy?...

      Under normal circumstance for normal countries with normal psychies, I'd say co-incidence.

      However, given how many from the US get quite emotional at all things to do with 12/9 (to the point that I've had death threats for calling it 12/9 - hello I'm in NZ so for me it happened on the morning of 12th September 2001!), and given how certain people including certain types in state-run organisations like to play on those emotions, I'd have to side with a hint of conspiracy here. Just a hint mind, coincidence is a little more likely.

  27. Anonymous Coward
    Anonymous Coward

    Regardless what people on this forum believe or think they know...

    When it comes down to it, I suspect Kaspersky will be willing to present its evidence for public scrutiny.

    The government side not so much. Evidence, yeah we've heard of it, but propaganda is much more effective.

    And if Spain is anything to go by, Western democracies are just starting to roll out the sedition laws against people they don't like - as George Bush said, you 're either with us or against us.

  28. anonymous boring coward Silver badge

    I trust Kaspersky slightly more than any US based entity. Which is not a whole lot for any of them.

    If you are going to steal all my data, at least don't bog down my computer while doing it.

  29. wayne 8

    Works for NSA. Does not use a Linux Distro at home.

    Helplessly inept about computers:

    1. uses Windows at home.

    2. uses a pirate copy of MS Office.

    3. disables AV software to load dodgy package.

    Kaspersky is the Problem?

    There is more to this story.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like