Schneier on Security
A blog covering security and security technology.
« Lone Shooters and Body Armor |
| Hotel Door Lock Vulnerability »
August 2, 2012
Profile on Eugene Kaspersky
Wired has an interesting and comprehensive profile on Eugene Kaspersky. Especially note Kaspersky Lab's work to uncover US cyberespionage against Iran, Kaspersky's relationship with Russia's state security services, and the story of the kidnapping of Kaspersky's son, Ivan.
Kaspersky responded (not kindly) to the article, and the author responded to the response.
Posted on August 2, 2012 at 6:23 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I worked for KL for more than a decade. Yes, lots of misquotes and lie in both article and respond to respond.
It all comes down to integrity, as is always the issue with security. I personally have great trust in Eugene, and have no reason to question the integrity of the man, whom I've met on several times.
I met a Russian hacker who had passed through KL and was on his way to the US for 'a new job'. Stating that a number of his hacker friends were now dead was kind of worrisome. One of the smartest guys I've known...
Seems Eugene has angered someone somewhere and he's been targeted for a smear.
OT, but really, Bruce, some timely Chuck Norris style terse commentary would be appreciated on the final stake through MS-CHAPv2.
I know, I know -- you already said all there is to be said here:
"the revised protocol is still vulnerable to offline password-guessing attacks … we still do not recommend Microsoft PPTP for applications where security is a factor."
Can anyone comment on the status of L2TP using MS-CHAPv2 authentication (maybe on topic when BS posts on this)?
I worked with him as kids in the army.
Mention anything remotely related to America or Americans to him inside Russian borders and see what he does ^^
He goes to clubs with the president
I don't understand why he thinks the Wired article indicated he was using his son as bait.
Thanks for these interesting links. The Wired article made me think about how lucky we are that at least one of the world's leading IT companies is not US-owned. I highly doubt that Stuxnet would have been published if a US-based company had detected it. If Kaspersky would have the same status as Google or Microsoft (= if it had a monopolistic position), it would be worrisome (just like, well, Google and Microsoft). But as it is now, Kaspersky can publish the American malware, and Symantec and McAfee can publish the Russian malware. And all 3 of them can publish any other malware, made by criminals or states. Can't think of anything bad coming from this.
Indeed I even hope Kaspersky is as powerful as the article suggests, and becomes even more powerful. The world needs at least one global IT player which can't be controlled by the US government (like Google, Facebook, Twitter, Oracle, Microsoft, Symantec, McAfee, Cisco, etc. etc.). This concentration of power can't ever be a good idea.
What other perspective might one expect from this particular author? Just look at The Brookings Institution's donor list.
Ho hum. The world according to conde nast...
The article seems to be tainted by Cold War era fears of the Soviet Union. The tone of the article is definitely in Kaspersky's disfavour, even though American companies are even more under the control of the government (or vice versa) than what seems to be the case with Kaspersky Labs.
What portion of McAfee's and Symantec's revenue stream stems from the US government? How often do they brief (or scare?) US officials on cyber threats? How much money goes into the pockets of the US Military-Industrial Complex, which is one of a kind in the world in terms of size and lobbying power?
Pointing the finger at Kaspersky seems absurd in the setting that the US has placed herself.
I read this article as: "Eugene Kaspersky and his company are in bed with the Russian government and he believes the internet should be strictly regulated because there is too much freedom. Therefor they cannot be trusted".
Even if this is true, can somebody please explain to me how this is any different from US companies and their government, apart from the fact that maybe they are a bit less vocal about it when speaking out in public ? Just a few examples:
- In 2002, former Symantec CEO John W. Thompson was appointed to the National Infrastructure Advisory Committee (NIAC) which makes recommendations regarding the security of the critical infrastructure of the United States. In January 2009, news sources reported that Barack Obama was considering him to fill the post of Commerce secretary in his administration.
- Microsoft teamed up with the NYPD to launch the new NYC domestic awareness system. They also just fell short of admitting that their new Skype infrastructure can be used to monitor people's voice calls.
- I vaguely remember some guy called Dick Cheney and his company Halliburton and its affiliates. Although in this specific instance one could ask the question who is actually owning who.
- Cisco's iOS features "lawful intercept" functions, read government backdoors. At least they expose it to peer review and security scrutiny.
- Following a FOI request made by EPIC, courts ruled in favour of the NSA refusing to confirm or deny whether it had any relationship with Google
- In a public speech in 2010, Facebook's CEO Mark Zuckerberg argued privacy is no longer a social norm.
The list goes on and on. The entire article is just as silly as a Denver newspaper headlining a murder committed by a Russian immigrant the day after the Aurora shootings.
@ Dirk Praet
Think of it this way:
Humans are systems, governments are the engineers. They need the tools to see what is going on. Us engineers use Oscilloscopes, Logic analyzers, Debuggers, etc... to see inside the systems. Governments (all of them) need to see through people! Their tools are Nudie machines, backdoors, and snitches, etc...
I wonder how many shoes are gonna be thrown at me now :)
No shoe throwing is in order here. Although we may be drifting a bit off-topic, I consider a government as the executive branch of temporarily elected officials voted in office by the people, and working for the common good. Others may consider it as a tool run by a privileged elite to establish and retain control over the people, and in which the preservation of the status quo/balance of power is the highest goal attainable. There's no right or wrong here, just different views on society.
Mr. Freud is greeting from his Response:
"All three of the world’s leading security companies – Symantec, McAfee/Intel, and Kaspersky Lab – work with law enforcement bodies worldwide to help fight cyber-crime. The ITU"
Whoopy, the ITU is a Law-Enforcing-Agency? The first one to come to Eugenes mind when defending his doing...
That is what Feud was talking about :)
@Meerman did you miss the full stop there? "The ITU" is the start of a new sentance.
And FFS the KGB is one of those organiastions that you canot retire from you only leave when your dead.
The WIRED DANGER ROOM is usually the weakest part of the WIRED offerings.
I don't know how they keep finding authors for that kind of nationalistic self-delusions mixed with full color cheery arms industry adverts.
Well OK, I guess it pays well...
The author seems to be out of his depth, and derives outrageous conclusions out of innocent facts he fails to interpret. For example, he probably knows nothing about dembel - the Russian word meaning decommissioning, but oh so much more than that. Soldiers start to work towards the long awaited day months ahead, and one of the ways to get ready - is to prepare the dembel uniform, only to be ever worn on that long awaited day. Keeping this (naturally, pristine looking) uniform in one's closet is akin to keeping one's mortarboard after the graduation - it doesn't mean that you're likely to get back into academy, any more than keeping this uniform is a sign that its owner is getting ready to be reinstated in the Red Army, long extinct.
As the "Danger Room" section of Wired suggests, this is a totally sensationalistic write up and character assassination of someone who has welcome Mr Shachtman into their lives to be interviewed. I think we wont see much of him having this kind of access to persons-of-interest anymore.
Good luck to Russian Hacker in the USA!
Hopefully his new job offer is not part of 'sting' operation for his 'sins' in the past and his job offer not finalized through federal court/prison.
Same scale/criteria should be applied for evaluation activity/connection to the government regardless of country of origin. I agree that more independent sources of expertise on any subject is always better.
For KL: may be Eugene could provide his employees with similar benefits as Google taking into consideration profit of KL. That is a l w a y s works as multiplicator for company growth boosting creativity and loyalty. I am pro carrot management style, like if you want more milk from your cow, you feed it better rather than pull titts harder.
@ vasiliy pupkin
I am pro carrot management style, like if you want more milk from your cow, you feed it better rather than pull titts harder.
I totally agree, and I love your analogy too. Pretty funny!
OTOH, I don't know how to break-in this sad news to you... Cows, my friend, don't have "tits". They have udders and teats.
Stop dreamin' ;)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.