Continuing the thread on Kaspersky anti-virus software, Dr. Herb Lin on Lawfare has some more information:
… how widely deployed is Kaspersky software on non-U.S.-government computers? This includes personal computers of U.S. government employees, of course, but also the work and/or personal computers of many in the private sector. What kinds of information have been taken from those computers? And what is the potential for mischief or malfeasance with that information being compromised?
Taken together, these questions speak to an even more serious compromise: the fact that the Russians are able to mine and are mining the documents, one by one, on the computers of every single Kasperksy user. Kaspersky software is used by 400 million individuals and is the most popular European security software vendor. I suspect the information derived from that scale of operation is much more significant than what they got from one user, important though he may be.
I personally find this to be a staggering thought, despite the fact we’re talking about computers, those elementals of multiplication. 400 million people are using software masquerading as a security construct, but is instead a personal spy looking over all of their shoulders – put that thought in your head. Jam it in with a hammer. The only mitigating factor is that the amount of information being stolen is a virtual flood, but software capable of filtering out the chaff has no doubt been developed and employed to find the nuggets of gold among the water & sand. (I was going to work Mata Hari into my metaphors as well, but I think I’ll quit while I’m ahead.)
OK, if you’re feeling a bit paranoiac now – if you’re checking your Windows registry to see if you’re using Kasperksy – then you’re ready for the next thought.
Turn the concept around. I mean, now that you’re properly paranoid, who are you going to trust? Does your anti-virus software come with a personal promise from the company’s CEO stating that the software is not a Trojan Horse? How about the same promise from the engineers at the company? (How about those engineers at third party software suppliers that the first company bought from?) What does your software warranty say?[1]
Trust on the Internet is, of course, a big topic, and one I haven’t tried to keep up with it lately. But I’ve noticed a lot of it appears to assume that the software in question is, prior to delivery, pristine and ideally suited for its purpose.
But this Kasperksy incident highlights, for me, an underappreciated element. There are relatively few people qualified to study a chunk of software and certify that it accomplishes its putative purpose while having no hidden agendas – not only must they know algorithms and languages, as well as understand the user requirements, a lot of software is written in difficult to understand ways[2] – when the source is available at all. It’s not like inspecting and testing a hammer.
It justifies my own ill-defined reluctance to place critical data anywhere near a computer, whether a 5.25 floppy drive or in the Cloud[3]. I’m starting to wonder about the trend to put everything online. While it may be convenient for online maintenance by software engineers, having critical installations such as electrical automation systems[4] available via the Internet continues to strike me as madness.
So will we see the beginning of a trend towards moving data offline? I know folks more intimate with these incidents are urging same, such as my friend Steve Yelvington[5]. But will these be taken seriously before a truly damaging incident takes place?
And that leads to the question of what should be automated? Can a principle be promulgated towards making decisions concerning what legitimately should be handled by computers – such as very difficult mathematical calculations – and what should be avoided due to safety concerns?
That may be the question for the future.
1Does software come with warranties yet? Being a Linux engineer, I don’t expect to see a reasonable warranty since I didn’t pay for this stuff in the first place.
2While it’s tempting to suggest such code reflects the state of a programmer’s sanity, I shall relent and admit to it being the inexperienced. In most cases.
3When it comes to the Cloud, I can only think of the old bit of humor: There is no Cloud, it’s just someone else’s computer. Which always makes me jumpy, because it’s true. We’ve returned to time-share systems.
4This I know from a short stint at Siemens Energy Automation Systems. The only job that actually gave me nightmares.
5Various Facebook posts. I feel certain Steve has more authoritative sources.
