Tuesday, October 31, 2017

The Year of Transparency

I'm just going to quote a small section here of Rob Graham's blog on Kaspersky, ignoring all the stuff where he calls for more evidence, like everyone does, because it's boring and irrelevant.
I believe Kaspersky is guilty, that the company and Eugene himself, works directly with Russian intelligence.

That's because on a personal basis, people in government have given me specific, credible stories -- the sort of thing they should be making public. And these stories are wholly unrelated to stories that have been made public so far.

There's a lot to read from the Kaspersky press release on the subject of their internal inquiry. But the main thing to read from it is that the US information security community has already had a master class on Russian information operations and yet the Russians still think we will fall for it.

If any of you have a middle schooler, you know that they will gradually up the veracity of their lies when they get caught skipping school. "I was on time"->"I was a bit late"->"I missed class because I was sick"->"I just felt like playing the new Overwatch map so I didn't go to school."

In the Kaspersky case we are led to believe that Eugene was completely caught out by these accusations, and at the same time that someone in 2014 brought to him a zip file full of unreleased source code for NSA tools which he immediately ordered deleted without even looking at it and without asking any detailed questions about the matter.

This is what all parents call: Bullshit.

The US likely has multiple kinds of evidence on KasperskyAV:

  • SIGINT from the Israelis which has KEYLOGS AND SCREENSHOTS of bad things happening INSIDE KASPERSKY HQ (and almost certainly camera video/audio which are not listed in the Kaspersky report but Duqu 2.0 did have a plugin architecture and no modern implant goes without these features)
  • Telemetry from various honeypots set up for Kaspersky analysis. These would be used to demonstrate not just that Kaspersky was "pulling files into the cloud" but HOW and WHEN and using what sorts of signatures. There is a difference to how an operator pulls files versus an automated system, to say the least. What I would have done is feed the Russians intel with codewords from a compromised source and then watched to see if any of those codewords ended up in silent signatures.
  • HUMINT, which is never ever mentioned anywhere in any public documents but you have to assume the CIA was not just sitting around in coffee bars wearing tweed jackets all this time wondering what was up with this Kaspersky thing they keep reading about. Needless to say the US does not go to the lengths it has gone to without at least asking questions of its HUMINT team?
I know the Kaspersky people think I have something against them, which I do not, or that I have inside info, which I also do not. But the tea leaves here literally spell the hilarity out in Cyrillic, which I can, in fact, read. 

Wednesday, October 11, 2017

The Empire Strikes Back

XKCD needs to calculate the strength of those knee joints in a comic for us.

It's fascinating how much of the community wants to be Mulder when it comes to Kaspersky's claims of innocence. WE WANT TO BELIEVE. And yet, the Government has not given out "proof" that Kaspersky is, in fact, what they claim it is. But they've signaled in literally every way possible what they have in terms of evidence, without showing the evidence itself. This morning Kaspersky retweeted a press release from the BSI which when translated, does not exonerate him, so much as just ask the USG  for a briefing, which I'm sure they will get.

Likewise, where there is one intelligence operation, there are no doubt more. Kaspersky also runs Threatpost and a popular security conference. Were those leveraged by Russian intelligence as well? What other shoes are left to drop?

Reports like this rewrite our community's history: Are all AV companies corrupted by their host governments? Is this why Apple refused to allow AV software on the iPhone, because they saw the risk ahead of time and wanted to sell to a global market?

If I was Russian intelligence leveraging KAV I would make it known that if you put a bitcoin wallet on your desktop, and then also bring tools and documents from TAO home to "work from home" and you happen to have KAV installed, your bitcoin wallet would get donations. No communication needed, no risky contacts with shady Russian consulate officials. Nothing convictable as espionage in a court of law. Maybe I would mention this at the bar at Kaspersky SAS in Cancun.

But the questions cut both ways: Is the USG going to say they would never ask an American AV company to do this? The international norms process is a trainwreck and the one thing they hang their hats on is "We've agreed to not attack critical infrastructure" but defining what the trusted computing base of the Internet as a whole is they left as a problem for the "techies".

We see now the limitations of this approach to cyber diplomacy, and the price.