[erdojo]

This is what I read between the lines:

An NSA spook was working on his home laptop and playing around with some special NSA malware.

Kaspersky AV detected it - AS IT SHOULD - based on heuristic or behavior-based technology that just about every modern AV has.

The data was sent back to Kaspersky servers. This is also how everyone else does it, because this is how A/V companies create signatures that are pushed out to all other people who use Kaspersky so they can be protected against malware that could quickly go viral.

Israelis were poking around KAV servers and found the malware, and told the US Gov.

Those are the facts, right? Everything else is speculation, no? Did I miss something that proves the thesis of the story and the government accusations?

[mikevm]

According to the NYT article[0]:

> Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

[0] https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-...

[willstrafach]

More specific detail regarding this was revealed today[0]:

> Wednesday's report, citing unnamed current and former US officials, said the help came in the form of modifications made to the Kaspersky antivirus software that's used by more than 400 million people around the world. Normally, the programs scan computer files for malware. "But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as 'top secret,' which may be written on classified government documents, as well as the classified code names of US government programs, these people said."

[0] https://arstechnica.com/information-technology/2017/10/kaspe...

[kharms]

"Everything else is speculation" ignores the well sourced "speculation" about Kaspersky's next step: letting the FSB know about this contractor so they could target and breach his machine.

It's speculative in the sense that we weren't there, but the information comes from the same source as all of those facts.

[morsch]

There is no single source for the article.

It refers to a "person familiar with the case" when they explain how an NSA guy exposed his malware to Kaspersky.

It refers to different sources which discuss how any malware might have made its way from Kaspersky to the NSA -- unnamed "information security analysts" (they think the KGB hacked Kaspersky), "other experts" (they say the Russian's version of PRISM picked it up) and Steven Hall, a former spook with no disclosed ties to the case (he says Kaspersky is "likely to be beholden to the Kremlin").

[stickdogg]

It is obvious to me that Kaspersky is beholden to the Kremlin. The founders of Kaspersky are after all Russian.

[thewhitetulip]

Why would a hacker not use Mac or Linux for sensitive stuff?

[andreif]

Why would a NSA guy use Russian security software?

[leereeves]

Why would an NSA guy put secret government tools on his personal laptop?

[YouKnowBetter]

Stupid as it may sound, but my experience with many many "why did you take the data there" dramas, the answer is:

To get things done you can not do at the office or you just lack the office time to get it done.

[marcosdumay]

Too restrictive corporate policies?

[marcusjt]

User error

[_e]

Why would a NSA guy even run any AV? Isolate and compartmentalize everything based on the task and its dependencies. You should assume everything you run could be bad or that you are already compromised.

[wetghost]

He works for the NSA, but he was on his home computer which is unlikely to stay air-gapped unless he's content with making mspaint art and playing skifree :)

[stickdogg]

Straight up. They spew forth this stupid reasoning so that the general public will become frightened. Most people don't understand what any AV does, or how it operates anyway. For them to understand compartmentalization based on dependencies is way too far out there. The US government might have granted access as well in another effort to spread fear amongst the uneducated American populus.

[thecrazyone]

Is this reasonable to do with number of softwares even average people use?

There was a person on the docker team, who had dockerized every other applications like chrome, firefox, ALSA sound server, and more. But even she found it hard to sandbox everything.

I'm using docker as a leading sandboxing tech. Do you mean something else when you mean sandbox?

[SEJeff]

Because he's a RIS mole pretending to be incompetent.

[13of40]

I assume if you voluntarily give Kaspersky root access to your laptop, they don't care whether it's Windows, Mac, or Linux.

[marcosdumay]

Does Karpersky sell that run on Macs or desktop Linux?

[13of40]

According to Google they have both, and based on the descriptions they probably follow the same model as the Windows one. That said, it would be kind of ironic if the original comment actually meant, "Use Mac or Linux for sensitive stuff because there's a good chance Kaspersky doesn't exist (or work very well) on them."

[acqq]

Where did you read "letting the FSB know about this contractor so they could target and breach his machine."

I somehow missed to see that anybody but you claims that, so please give some link. I also, like the parent poster, only read that the antvirus program, as it should, collected the virus to the company servers.

[kharms]

I read that in the WSJ article that first revealed the security breach.

https://www.wsj.com/articles/russian-hackers-stole-nsa-data-...

>The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

[bobwaycott]

That quote doesn’t say anything at all that indicates Kaspersky “let the FSB know”, as you keep stating.

[acqq]

It is behind a paywall but the quote you give has no sense in the context of the rest of the information I've read. That narration would be different then. Israelis hacked Kaspersky offices, discovered what the antivirus automatically transferred. It is not claimed they discovered anything else there. NSA obviously didn't know what their worker did at home, until Israelis informed them, so how do they know he was targeted afterwards and that Kaspersky was directly involved? Something is still missing.

[lurker69]

Here is sans paywall link: https://archive.is/hB3eo

No mention of FSB in that article.

[acqq]

Thanks. There is however:

"Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s PC, hackers working for Russia homed in on the machine and obtained a large amount of information, said the people familiar with the matter."

But that sounds very implausible, which entry would "the hackers" use? Note that nobody claims that Kaspersky did that "obtaining" that way (by hacking). But it appears to me that Kaspersky software simply first detected suspicious files and then also send them to the servers, which is what the software of most antivirus vendors does. And then the "hackers" story was invented to make it more dramatic. That better fits with the story of the NSA trojan files found on Kaspersky servers by the Israeli, as they hacked Kaspersky.

[giancarlostoro]

I'm not a malware developer but you can tell an AntiVirus not to scan a specific directory so that could of been completely avoided. You can also tell an antivirus what not to send over to the AV developers / company as far as I remember. I stopped using antiviruses years back, but I remember this from when I would download cheating tools I would define a folder for those tools, some of which I had the source code to but they were all flagged as potential malware.

I always setup my AV software to ask me before it does any thing whatsoever. I don't trust most software, I'm not about to start trusting my AV not to randomly send proprietary software over to their homebase.

[inetknght]

I'll cut you some slack because you stated you're not a malware developer. But even if you're a normal developer, you should know that telling software to do something does not mean that the software will do that something. When the software in question is subject to being controlled by adversaries, all guarantees go out of the window.

[aswanson]

Yeah. I facepalmed at that assumption as well. It's as naive as a parent telling an 18 year old not to have friends over while they go on vacation for 2 weeks and thinking its all good from there.

[giancarlostoro]

You're saying nobody would be able to test if, when and what an Antivirus program is sending over the internet? If it all of a sudden is uploading enough data over to some server vs downloading (for updates) it's kind of a tall tale sign that it's phoning home with files. I don't use AV software anymore since I'm mostly on Linux, if I'm on Windows it's dedicated to Windows based programming, all my browsing is isolated usually.

You can go as far as finding the amount of data software is sending over the wire through the Task Manager -> Performance -> Resource Monitor. And to say an AntiVirus can hide this would mean it shouldn't be trusted whatsoever if it behaves like malware. The type of reputation any sane A/V company does not want to fall under.

[jwilk]

Wait, does it really send (suspected) malware home, without asking the user?

[Stranger43]

Yes it's among most antivirus packages advertised features. And example from everyones favorite anti virus vendor https://home.mcafee.com/Secure/CloudAV/HowItWorks.html but they all market a similar feature.

[acqq]

As far as I know most antivirus companies have such defaults which the users can somehow turn off. That means they consider that the user is informed and has agreed by using the product with such a setting unchanged.

I think Microsoft for their threat detection software does the same.

So I guess all the antivirus companies from time to time have such "lucky finds" like these that were obviously automatically collected by Kaspersky. Even the "secret" viruses will eventually be detected in the broader areas from time to time.

[jgmmo]

Yes. All antiviruses do this. It's one of the major streams of malware samples, and for the company I use to work for -- the most important source -- because those are authenticated as being on real customers machines!