[waihtis]

It’s been interesting to note how Kaspersky has been responding to the scrutiny. It’s almost always the same - ”we have been audited a huge amount of times and no-one has ever found anything!”

It’s suspicious because as someone who is a vendor of risk management, they’re leaving out the gaping hole fact which is that software is updateable and oftentimes AV will do so automatically. Potent risk is pretty huge.

Same applies also to the Huawei discourse.

[nisa]

But this applies to any software that has auto-updates. Can we be sure that Microsoft/Google/Apple don't sign backdoor updates for the NSA for specific targets? As far as I know these national security orders are non-public and we don't even know if it's happening.

But Russia used Ukraine in the past as "playground" for cyber attacks: Some mandated tax software auto-update was hackend and delivered a ransomware trojan without any chance to pay i.e. pure data destruction.

[waihtis]

No, it doesn't. Because not all software companies can be a) under influence of a foreign government potentially hostile towards yours and b) software has varying degrees of replacement difficulty.

Example - building an entire smart city network on top of Huawei network gear. It would be very difficult to rip it out and replace on a whim if China suddenly decided to side with Russia in a war against the West, which is literally a possibility floating in the air right now. End state - you have a hostile actor who has access & control of your critical infrastructure. ¯\_(ツ)_/¯

[oldgradstudent]

Assume, just for the sake of argument, that Kaspersky has no back doors and no connections to state organs.

What would you, as Kaspersky CEO, would say?

[sofixa]

> Same applies also to the Huawei discourse.

How? Huawei routers and switches don't auto-update.

[alexklark]

Their whole range of management software do.

[lizardactivist]

How else should they respond? And almost all software today is updateable, and many do so automatically per default. What is your argument here exactly?

[waihtis]

The point here is - don't build critical functionality via companies that are under the thumb of foreign superpowers.

"But what about USA??" I don't expect Europe as it is now to be in hostile terms with USA. But the principle would of course apply if that started being true.