Tuesday, November 20, 2018

A Question of Trust

For those of you who have not read Eugene Kasperky's latest piece, it is here:

I have pasted the most relevant section below.

While obviously Kaspersky's transparency initiative is a good thing, and probably something that should be emulated by other companies in the field, I think it's worth taking a step back to see what metrics you can judge its design on for effectiveness. Many portions of the stated initiative don't seem to be relevant in security sense - they are for marketing purposes, as cover for people who want to use Kaspersky software and are looking for an excuse.

Some questions, a positive answer to any one of which is fatal to the goals of a Transparency initiative:

  • Can Kaspersky update the software of only one computer, or write a rule that would run only a subset of computers? 
  • Is the data from computers in France still searchable from Moscow? (And hence, subject to Russian law?)
  • Could Kaspersky install a NOBUS backdoor which would get through the review of the Transparency team in Switzerland and get installed on international customers?
I think the answer to these questions is probably "yes".

The hard problem here is that the goal of a "Trust" initiative of this nature is to be able to protect your customers while provably being being unable to see what they are doing, or target them in any way. The most obvious solution would be for Kaspersky to start up an entirely independent operation to handle the international market, at the cost of any economies of scale (and also at a reaction time trade-off). Even that might not even solve the third question, although at a certain point you have to admit that you are setting a bar high enough that software from extremely risky development locales is not going to clear it (which sucks for Kaspersky, but is an extremely realistic risk profile, depending on who you talk to!).

As a final note, this talk by a Kaspersky researcher is fantastic:

No comments:

Post a Comment