Interviews: Ask What You Will of Eugene Kaspersky

Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.

What Color Is Your Hat?

[eldavojohn]

I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?

On Your Exploit-Free OS

[eldavojohn]

Recently you confirmed you're working on an exploit-free OS [kaspersky.com] following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch [securelist.com] but I can't find many details on what it's going to look like architecturally. You say:

Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won’t allow an intruder to gain control over it or to run malicious code.

Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

2-3 digital concepts young people should learn?

[davecrusoe]

There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc).

But what interests me is what we should be teaching our young people (students, in primary and secondary school) with respect to the expertise we wished that all adults possessed.

In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc)?

--Dave

Online anonymity

[gallondr00nk]

Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organising resistance and circumventing censorship or oppression. In light of that. have you modified your views on the "Internet ID"?

Natalia Kaspersky's Support of Government Malware?

[eldavojohn]

According to Wikipedia [wikipedia.org], Natalia Kaspersky, former CEO and co-majority shareholder of Kaspersky Lab released a statement supporting Russia's interest in a countrywide firewall similar to the Great Firewall of China. The definition of 'malware' I most prefer is "Software that is intended to damage or disable computers and computer systems." I see implementations like countrywide firewalls to be little more than disabling computers and computer systems by limiting their ability to connect to other computers. Would you care to comment on why government malware is okay or even desired? Would you care to refute Natalia's position that appears in Kaspersky Lab's Wikipedia article?

Anonymous Internet IDs

[AaronLS]

Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

Kaspersky's relationship with the government?

[swb]

Does Kaspersky have a relationship with the Putin administration or the FSB?

Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus?

Should a security minded person be concerned with the geographic origin of security software?

Ken Thompson's Hack

[Sarten-X]

One of the threats I expect to see more of is in the vein of Ken Thompson's hack [bell-labs.com], where a compiler (or any other build tool) hosts a trojan and infects other programs it compiles (or links, assembles, etc.) practically undetectably. With open-source software taking an ever-more-vital role in the Internet's core systems, will this kind of attack be easier to detect (perhaps due to the widespread availability of still-clean compilers), or more difficult (perhaps due to the wide network of trusted developers)?

Internet X meme

[vlm]

You seem to support the "Internet X" meme where X is whatever we have in the physical world. ID, passport, voting, interpol, perhaps others. Why?
I mean we are all techies here, OK, so we don't have to act all "marketing" with each other about our new "selling dog food over the internet" patent and so forth.

I've got a perfectly good ID in the physical world that I share with amazon.com called my postal addrs and my CC number, and we're both perfectly happy with that situation. I've got a perfectly good paper and ink passport for crossing international borders, an internet one seems pointless. I/we have an Interpol who already handle crime about as well as any multinational police force could ever hope to, so I'm unclear what one on the internet would do that the real one isn't already fully responsible for. I have a perfectly good voting site 2 blocks from my house where I can vote in person using optical scanned ballots in perfect safety for like 12 hours on voting day, with no intimidation, and very limited to non-existent corruption because there's both a paper and ink ballot and an instant optical scan, what needs fixing about that or moving to the internet?

You've listed some things that have evolved over time to, basically, work pretty well. What is the point of lets replicate that "... on the internet"? Wouldn't we be all better off if we just improved the real Interpol, instead of making a second shadowy clone? Or improved voting, not just "add internet voting". Or improved ID, not "add another form of ID to be stolen"?

Or looking at it another way, why not "Internet X" where X is stuff that doesn't work. Health care. Taxes. Politics. Debating.

I don't see this as a strictly financial self interest question, for example you can probably make as much dough, or more, selling to the real Interpol as selling instead to a shadowy secondary clone. What do you care what the name on the invoice is?

From a techie perspective I/we see this as weird. Say my video card is getting slow/flakey. I could fix the one I have by blowing the dust off the fan, but, naah I'll get a shadowy secondary video card that is a mystery and not nearly as debugged, and try to get them to work in parallel... No that's just now how techies work. We know better.

So why "Internet X"? Not just "improve X"?

Who is winning?

[Anonymous Coward]

Mr. Kaspersky,

Who is winning the Cyberwar?

Re:On Your Exploit-Free OS

[Elbereth]

Well, yes, but I think Kaspersky is advocating that we swing the pendulum in the opposite direction: instead of making trade-offs against security, we make a niche OS that makes all of its trade-offs in favor of security, trying to keep in mind the specific needs of industrial control systems. He's also advocating -- if you'll forgive me -- a paradigm shift, in which security becomes the mantra, rather than stability. This is unsurprising, coming from a security professional. I can't say whether he's an ideological fool or a visionary, but they are not mutually exclusive.

Of course, convincing people to use an operating system that made all of its trade-offs against ease-of-use, backwards compatibility, features, and stability may end being even harder than writing it.