Forgot your password?
typodupeerror
Security Software IT Politics Your Rights Online

Interviews: Ask What You Will of Eugene Kaspersky 115

Posted by timothy
from the make-his-day dept.
Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.
This discussion has been archived. No new comments can be posted.

Interviews: Ask What You Will of Eugene Kaspersky

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn@gmFREEBSDail.com minus bsd> on Monday December 03, 2012 @01:21PM (#42170561) Journal
    I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?
  • by whizzter (592586) on Monday December 03, 2012 @01:23PM (#42170595) Homepage

    Sorry could not resist :)

  • by Anonymous Coward on Monday December 03, 2012 @01:28PM (#42170643)
    Related, have you ever tried bath salts?
  • by eldavojohn (898314) * <eldavojohn@gmFREEBSDail.com minus bsd> on Monday December 03, 2012 @01:28PM (#42170649) Journal
    Recently you confirmed you're working on an exploit-free OS [kaspersky.com] following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch [securelist.com] but I can't find many details on what it's going to look like architecturally. You say:

    Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won’t allow an intruder to gain control over it or to run malicious code.

    Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

    • by Synerg1y (2169962) on Monday December 03, 2012 @01:37PM (#42170745)
      Not an OS in the traditional sense. It's mission specific firmware code tailored for single purposes. They're in for a nasty surprise when they discover that not all industrial systems are set up in the same manner, time period, or with the same risk scope.
      • by vlm (69642) on Monday December 03, 2012 @01:54PM (#42170939)

        Not an OS in the traditional sense. It's mission specific firmware code tailored for single purposes.

        So.... its freedos run as virtualization images? An awful lot of embedded work got done before modern OS and its still getting done more or less despite them.

      • by Elbereth (58257) <krachtm@yahoo.com> on Monday December 03, 2012 @02:35PM (#42171389) Homepage Journal

        Well, yes, but I think Kaspersky is advocating that we swing the pendulum in the opposite direction: instead of making trade-offs against security, we make a niche OS that makes all of its trade-offs in favor of security, trying to keep in mind the specific needs of industrial control systems. He's also advocating -- if you'll forgive me -- a paradigm shift, in which security becomes the mantra, rather than stability. This is unsurprising, coming from a security professional. I can't say whether he's an ideological fool or a visionary, but they are not mutually exclusive.

        Of course, convincing people to use an operating system that made all of its trade-offs against ease-of-use, backwards compatibility, features, and stability may end being even harder than writing it.

        • Of course, convincing people to use an operating system that made all of its trade-offs against ease-of-use, backwards compatibility, features, and stability may end being even harder than writing it.

          Nah, it's not hard to convince people that matter to use the operating system. Or, rather, I should say that shouldn't be a goal to get mainstream adoption. I too am creating a secruity focused operating system from scratch -- Uses separate isloated call stacks rather than place data and code pointers in the same stack, and some other tricks to keep code pointers in heap data structures from being modified. My design calls for a different compilable programming language other than C as a base because C's essentially designed to do shit the most insecure way possible -- Hell, x86 even has ENTER and LEAVE instructions specifically to facilitate doing bad things faster, so doing safer things is slightly less performant. Once I've finished implementing my programming language I'll be able to implement a C compiler with it that utilizes the other language's features -- eg: functions are just a special case of coroutines... Then I can compile much of the stuff people expect in an OS, like existing drivers for their hardware, not just for mine.

          Now, I know I'm pretty much the only one who's going to use my OS and my programming language, but my goal isn't adoption, it's to prove a point: You CAN make much more secure OSs that protects against many programming pitfals. Remember when the Internet was 1st built and how all the services were open and everyone was essetially trusted to be good guys -- network admins would only close ports if they detected some trouble there? Now an admin would be fired for such practices. Now we have firewalls by default and only let throught stuff that we know is good... Our OS's are still like that old trust everything model. We've made a few advances, but we're still just patching troubel spots. We still TRUST THE MODIFIABLE PARAMETER STACK TO CONTAIN CODE POINTERS. Ugh, I feel like I'm still in the 80s when it comes to OS security. GCC has an option to place a canary value to try and catch some overruns, but it's just like closing one more port because we saw some trouble there -- it does nothing if the exploit knows how to write over a canary with itself or exploits code pointers on the heap. We need to go back to the drawing board. Seriously. For fuck's sake people: I'm all for avoiding needless re-inventing of the wheel, but you don't put steel banded wooden waggon wheels on a damn Porche, that's assinine and UNSAFE.

          I don't think for a second that everyone's going to start using my OS even if it's uncrackable. No, instead I only with to show folks how it can be done, by example. My aim is more of a reference implementation of techniques that other mainstream OSs can analyize and apply to improve their security. Eg: In no event does a buffer overrun, stack smashing, or any other unintended data modification cause unexpected or arbitrary code execution in my OS... This stuff is easy, It's not brain science, but we've got a lot of time invested in doing things the wrong way -- Popping the CODE pointer off the same stack we put our working DATA in, and running wherever it says to. It would be funny if it weren't so fucking moronic.

          There's no reason that today's OSs can't have a whole host of security enhancing techniques except that when some unknown dude, or even a well respected fellow, pops into a compiler or OS discussion and points out how everything is all wrong everywhere, then folks just laugh at you, bugs crawling all over their faces, but they can't feel them anymore -- They'll argue that it's not worth fixing while neck deep in someone's dumpped core sewage, or they'll outright deny there's anything wrong as a family of cockroaches crawl from their nostrials and into their ears. These people have lived wallowing in the shit with the bugs for so long they don't even flinch. To me, it's just disgusti

        • by DMUTPeregrine (612791) on Tuesday December 04, 2012 @09:58PM (#42187443) Journal
          I think stability is very important, finding system instabilities is often an easy way to find security exploits. Also, if the system crashes it's essentially a DOS attack, whether or not the attacking entity is a human or random chance.

          And there already is a niche OS that makes all of its trade-offs in favor of security, it's called OpenBSD. It's BSD licensed, so could be a good starting point for an industrial control OS focused on security and stability.
    • by Anonymous Coward on Monday December 03, 2012 @03:00PM (#42171725)

      It can't be done. It's not possible.

      You can easily prove this (Left as an exercise for the reader).

  • by WGFCrafty (1062506) on Monday December 03, 2012 @01:29PM (#42170661)
    Did... your special relationship with Russias former KGB help secure your son, or would any Russian have received that promt service?
  • by chill (34294) on Monday December 03, 2012 @01:31PM (#42170685) Journal
  • by lister king of smeg (2481612) on Monday December 03, 2012 @01:34PM (#42170711)

    You plan on making a secure OS for for industrial/infrastructure systems do you plan on basing it on preexisting open kernals, BSD, Linux, Haiku, Mach. Will it be a Unix/Posix like? will it be a monolithic or micro kernal? or are you think of more of hypervisor that host and monitor the guest os for the scada systems?

  • by davecrusoe (861547) on Monday December 03, 2012 @01:37PM (#42170737) Homepage

    There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc).

    But what interests me is what we should be teaching our young people (students, in primary and secondary school) with respect to the expertise we wished that all adults possessed.

    In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc)?

    --Dave

  • by Anonymous Coward on Monday December 03, 2012 @01:40PM (#42170799)

    Hello. Love your product.

    Can you tell us anything about your work with the KGB? Did you work in operations, or support?

  • Online anonymity (Score:5, Interesting)

    by gallondr00nk (868673) on Monday December 03, 2012 @01:42PM (#42170815)

    Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organising resistance and circumventing censorship or oppression. In light of that. have you modified your views on the "Internet ID"?

    • by Anonymous Coward on Monday December 03, 2012 @02:15PM (#42171147)

      Does mr. Kaspersky still think that tracking everybody's every move (which is the inevitable result of "internet ID") is a reasonable approach to curbing a relatively small (as in tiny) percentage of bad apples, seeing how that so far has yielded zilch results in other fields (airport security theatre), and whether the costs, not just in financial terms but also eg liberty lost and foregone (persecution, panopticon effect) are worth it, in the long term [slashdot.org]?

      Posted anonymously, while I still can. Please do try and convince us that we oughtn't be able to.

  • by csumpi (2258986) on Monday December 03, 2012 @01:42PM (#42170817)
    What's the easiest way to wipe all the Kaspersky bloat/trial/crapware from new Windows machines?
  • According to Wikipedia [wikipedia.org], Natalia Kaspersky, former CEO and co-majority shareholder of Kaspersky Lab released a statement supporting Russia's interest in a countrywide firewall similar to the Great Firewall of China. The definition of 'malware' I most prefer is "Software that is intended to damage or disable computers and computer systems." I see implementations like countrywide firewalls to be little more than disabling computers and computer systems by limiting their ability to connect to other computers. Would you care to comment on why government malware is okay or even desired? Would you care to refute Natalia's position that appears in Kaspersky Lab's Wikipedia article?
  • by AaronLS (1804210) on Monday December 03, 2012 @01:45PM (#42170851)

    Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

    This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

    Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

    • by Anonymous Coward on Monday December 03, 2012 @06:17PM (#42173579)

      Already covered. It's called pseudonymous. It's been used, tried, and...not really discarded, so much as...it wasn't practical for the world at large. It doesn't quite handle your case, but your case asks for something that is a semantic contradiction...

      You can't have both things you describe. I can make a new ID -- it has to be totally new. If it comes to a root, people can trace it up to the root.

      If it can't be traced up to the root, I can make a new one. If I can't trace an ID up the root, and I can't make a new one, then I can only have one ID.

      The best you can pull off are trust chains, or computation chains.

      The authority issuing multiple IDs does not prevent the authority from tracking my ID, aggregating my ID, selling my information. In short, the authority is subject to compromise.

      You want non-anonymous access, you need to enforce it through rep or law. Either one is subject to automated compromise.

      • by AaronLS (1804210) on Tuesday December 04, 2012 @05:59PM (#42185163)

        "If it comes to a root, people can trace it up to the root."

        Maybe I misunderstand what you mean here. Yes, they can trace it to the certificate authority. This is like knowing who issued the ID, it doesn't tell you anything about the ID itself. In fact, this is property is key to ensuring the ID isn't forged/self signed, because anyone can verify it with the cert authority. It is like a client side SSL certificate that doesn't include any of the attributes that identify the organization/company. All you know is that, yes this is a valid ID (which can optionally be used only at such-and-such domain).

        True that the authority is a single point of failure, and would have to have some oversight to ensure they were not collecting usage data. While they'd be able to track what IDs for what domains were issued, in my design, they can't track usage since the ID can be cryptographically verified with the authorities public key, without ever requesting validation with the authority. So when I visit facebook.com with my ID, the authority that issued my ID doesn't know when or how much I visist that site.

        The trusted authority is not any different then any other link in the chain, whether it be our own devices, connection, ISP, email provider, etc. where there is a constant battle between government oversight, law enforcement surveillance, malicious abuse, marketing data, and user freedom. It's not like the web hasn't been hinged upon many single points of failure already. You compromise any authority, whether it be SSL certs, OpenID, email provider(reset passwords of any accounts using the email as recovery) etc. and then you can do a huge amount of malicious things.

        This is like saying houses are bad because they don't protect you from sudden massive sinkholes swallowing you and your house up. Yes there are scenarios that break these systems, but that is why they take security seriously in those contexts. None of these things mean that the SSL system, email providers, or OpenID are terrible systems. It's like throwing the baby out with the dirty bath water.

        "You want non-anonymous access[...]"
        No, that's the opposite of what I said I want! That will never get public acceptance or broad usage. There has to be some anonymous element to it for public accept it.

        Nor can we trust law enforcement to manage the system. I'm not a law enforcement hater, but within law enforcement there are many individuals who will put their own twist on the law, or sometimes simply abuse their access to surveillance for malicious purposes. The combination of authority and access is a very bad combination. That's why it needs to be a non-commercial organization, not affiliated with a particular nation.

        The great thing about the ID is that anyone requiring it will be able to deny access on a first offense, and not worry about someone coming back with a different ID.

        Some forms of denial-of-service attacks could be prevented(many systems minimize sessions overhead for non-authneticated users, thus you have to use a bot-net that steals/everages local user's ID for DOS) You would greatly minimize botnet attacks from leverage ID's by using smart card systems that require a challenge-response device be in hand. These types of IDs are used in other countries but have had resistance in the US due to anonymity concerns. I'm simply advocating for the Identifying information to be kept private at the cert. authority to help make the IDs more acceptable to the public, and be non-government affiliated.

        The benefits for the security of systems/sites that use these for authentication would be profound. Imagine Diablo 2 where each patch was responded to with new hacks that worked around hack detection. People who got banned when the new patch came out, or because they were testing a modification to the hack to make it work with the new patch, would simply obtain stolen keys or purchase new ones(usually at a very low cost through markets that dealt in "stolen" keys because you could determine

  • by Anonymous Coward on Monday December 03, 2012 @01:46PM (#42170857)

    In a small Latin American country like Belize. You've gone on the run, the police are hunting you and your options for escape are coming up short. You've started a blog to discuss your situation, but no external entities have helped. What's your next step?

    -- John

  • by Zaphod-AVA (471116) on Monday December 03, 2012 @01:47PM (#42170863)

    Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

    • by Anonymous Coward on Monday December 03, 2012 @02:02PM (#42171007)

      2 reasons:
      1. Existing solutions haven't really been tried, especially in Windows.
      2. Every computer owner must have the freedom to run software of his own choice.

      Of couse, #2 is going away anyway, with the proliferation of the walled garden.

      • by Anonymous Coward on Monday December 03, 2012 @05:22PM (#42173115)

        Isn't this what vista started? Where it asks if you allow said program to do xyz?
        A better interface to lock programs down would be nice.
        I think it was Core Force software that used a white list approach. It was extremely complicated to setup but I remember having to give permissions to programs accessing the registry, internet ports and sites and directory access. I never could get it working with all the programs I used but nothing ran default. I might want to try it again on my xp vm I use for netflix.

  • by stox (131684) on Monday December 03, 2012 @01:50PM (#42170899) Homepage

    For a life of adventure? It seems to be the in thing for writers of AV software these days.

  • What's... (Score:3, Insightful)

    by Antipater (2053064) on Monday December 03, 2012 @01:51PM (#42170913)
    your favorite brand of vodka?
    • by Anonymous Coward on Monday December 03, 2012 @06:30PM (#42173707)

      lol insightful mod. All vodka is basically the same once you get away from the cheap crap, just aqueous ethanol with almost no taste. With Grey Goose etc you're paying for the nice bottles and perceived coolness.

  • by gr8_phk (621180) on Monday December 03, 2012 @01:54PM (#42170947)
    If you're in favor of "mandatory internet ID" as the summary says, what form should that take? I have been an advocate of fixed IP addresses for everyone, but would something like that be sufficient? I realize there may be issues with mobile devices, but in principle does a fixed IP come close to what you're in favor of? Or is it something much more complex?
  • by swb (14022) on Monday December 03, 2012 @02:00PM (#42170991)

    Does Kaspersky have a relationship with the Putin administration or the FSB?

    Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus?

    Should a security minded person be concerned with the geographic origin of security software?

  • Ken Thompson's Hack (Score:5, Interesting)

    by Sarten-X (1102295) on Monday December 03, 2012 @02:04PM (#42171031) Homepage

    One of the threats I expect to see more of is in the vein of Ken Thompson's hack [bell-labs.com], where a compiler (or any other build tool) hosts a trojan and infects other programs it compiles (or links, assembles, etc.) practically undetectably. With open-source software taking an ever-more-vital role in the Internet's core systems, will this kind of attack be easier to detect (perhaps due to the widespread availability of still-clean compilers), or more difficult (perhaps due to the wide network of trusted developers)?

    • by Sits (117492) on Monday December 03, 2012 @07:35PM (#42174269) Homepage Journal

      Mentions of Ken Thompson's Reflections on Trusting Trust should also mention David A. Wheeler's "Fully Countering Trusting Trust" [dwheeler.com] which provides a means of identifying and resolving a malicious compiler.

    • by lister king of smeg (2481612) on Monday December 03, 2012 @09:34PM (#42175183)

      well you could in the case of a open source compiler read the source or if you don't have the expertise in that are hire a(team of) code analyst / auditors / programers. you could also compare the binaries of two different standard complaint compilers that have compiled the same code on the same hardware. you also write you own compiler and boot strap you own system from source ala gentoo/linux from scratch

      • by eer (526805) on Monday December 03, 2012 @09:48PM (#42175263)

        No, actually, you can't. Its computationally infeasible to find deliberately hidden malware in a body of code, whether source or object. So no amount of analysis and/or testing can ever reliably tell you whether in fact your existing system is corrupt. You can only accomplish that by starting with a formal set of requirements that you can then successively refine into code that is (a) minimal, and (b) demonstrably maps directly to your formal specifications and their requirements. Any excess beyond what is minimally required to accomplish your task is a potential reservoir of latent malware. Note that such malware may be present in the source (ref. Ken Thompson's attack), or if it is, it may make use of various global state variables on the system as a trigger, or key, to unlock its functionality.

  • by Lieutenant_Dan (583843) on Monday December 03, 2012 @02:06PM (#42171039) Homepage Journal

    Mr. Kaspersky are you safe?

    Your operating out of the same country that has a ton of botnet operators and raking in some decent dought with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

    There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

  • I was surprised that companies don't rig the install disc to be self booting anymore Why is this??

    would not be a problem but an updated bootable copy seems to be either Vodoo or in the form of download a full copy every time

  • by Anonymous Coward on Monday December 03, 2012 @02:16PM (#42171161)

    Speak , memory.

  • Internet X meme (Score:5, Interesting)

    by vlm (69642) on Monday December 03, 2012 @02:17PM (#42171173)

    You seem to support the "Internet X" meme where X is whatever we have in the physical world. ID, passport, voting, interpol, perhaps others. Why?
    I mean we are all techies here, OK, so we don't have to act all "marketing" with each other about our new "selling dog food over the internet" patent and so forth.

    I've got a perfectly good ID in the physical world that I share with amazon.com called my postal addrs and my CC number, and we're both perfectly happy with that situation. I've got a perfectly good paper and ink passport for crossing international borders, an internet one seems pointless. I/we have an Interpol who already handle crime about as well as any multinational police force could ever hope to, so I'm unclear what one on the internet would do that the real one isn't already fully responsible for. I have a perfectly good voting site 2 blocks from my house where I can vote in person using optical scanned ballots in perfect safety for like 12 hours on voting day, with no intimidation, and very limited to non-existent corruption because there's both a paper and ink ballot and an instant optical scan, what needs fixing about that or moving to the internet?

    You've listed some things that have evolved over time to, basically, work pretty well. What is the point of lets replicate that "... on the internet"? Wouldn't we be all better off if we just improved the real Interpol, instead of making a second shadowy clone? Or improved voting, not just "add internet voting". Or improved ID, not "add another form of ID to be stolen"?

    Or looking at it another way, why not "Internet X" where X is stuff that doesn't work. Health care. Taxes. Politics. Debating.

    I don't see this as a strictly financial self interest question, for example you can probably make as much dough, or more, selling to the real Interpol as selling instead to a shadowy secondary clone. What do you care what the name on the invoice is?

    From a techie perspective I/we see this as weird. Say my video card is getting slow/flakey. I could fix the one I have by blowing the dust off the fan, but, naah I'll get a shadowy secondary video card that is a mystery and not nearly as debugged, and try to get them to work in parallel... No that's just now how techies work. We know better.

    So why "Internet X"? Not just "improve X"?

  • by Anonymous Coward on Monday December 03, 2012 @02:24PM (#42171245)

    Would Kaspersky labs release a detailed document on Shylock malware, what it does, infection rate and so on?

  • by vlm (69642) on Monday December 03, 2012 @02:26PM (#42171269)

    criticized for ties to the current Russian government.

    You'll have to give me a break because all the links WRT this topic in our provided summary were 404 when I checked a couple seconds ago, so if I mischaracterize anything then its all timothy's fault.

    Anyways WRT to corp govt relations, I'm guessing the model of the disagreement is:

    In the US the corps completely own and control the govt and no other groups or individuals have any input or control over the govt, and we expect everyone else to live that way, but in .ru, the relationship is not quite as centrally controlled or cozy, more or less. Is it that simple or is there more to it?

  • by HideyoshiJP (1392619) on Monday December 03, 2012 @02:26PM (#42171275)
    Many pieces of software and hardware used in Healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?
  • by eer (526805) on Monday December 03, 2012 @02:27PM (#42171295)

    Given the the long established history with reference monitors and Class A1 design, will your from-scratch OS follow TCSEC (Orangebook) guidance so as to provide verifiable assurance that no trap doors or Trojan horses exist in the code? If not, what is your approach, instead?

  • Who is winning? (Score:3, Interesting)

    by Anonymous Coward on Monday December 03, 2012 @02:28PM (#42171297)

    Mr. Kaspersky,

    Who is winning the Cyberwar?

  • by Anonymous Coward on Monday December 03, 2012 @02:31PM (#42171339)

    Do you think you've got a chance at selling your ICS software to Americans? Don't you think they'll be hesitant to buy it?

  • by eer (526805) on Monday December 03, 2012 @02:35PM (#42171381)

    Give the long established practice in high assurance computer systems design to use segments to represent base-level security objects (so as to maximize alignment of hardware-enforced security policies with promised protections of the objects), will your new OS design rely on segments to represent security objects, or if not, what hardware abstraction will you use, instead?

  • by Anonymous Coward on Monday December 03, 2012 @02:36PM (#42171397)

    What do you think of the way western countries have treated Huawei products? Most people agree they are inferior products, don't you agree? Do you feel Kaspersky has received similar treatment?

  • by Anonymous Coward on Monday December 03, 2012 @02:38PM (#42171427)

    Is there a question someone could ask you that would likely result in your death if you answered it honestly?

  • by Anonymous Coward on Monday December 03, 2012 @02:48PM (#42171549)

    Your move?

  • by Anonymous Coward on Monday December 03, 2012 @02:52PM (#42171615)

    http://theinvisiblethings.blogspot.com/2012/09/introducing-qubes-10.html [blogspot.com]

    * Since I understand you are looking to design a secure Operating System of some sort, have you see that lady's ideas that are a work-in-practice already?

    APK

    P.S.=> Do you plan to use a similar design?? apk

  • by Anonymous Coward on Monday December 03, 2012 @02:55PM (#42171641)

    Dear Mr. Kaspersky,

    I have long thought that malware detection is a fool's errand: it seems incredibly difficult, if not possible, to write a detector for "bad" software when "bad" is not precisely defined. Furthermore, it seems that identifying malware requires computation at least linear in size to the data input into the system (since that's where one often looks for malware), so it does not seem to be a scalable solution. In my opinion, there are better approaches to security that are more worthy of time and effort: creating usable but strong access controls to compartmentalize software/data on a system being one, and creating compilers that can harden executables from attack as another. I think that malware detection has taken too many resources away from more profitable defenses.

    Do you think that there is some value to malware detection that warrants attention to it instead of other techniques, and if so, what is that value?

  • by Anonymous Coward on Monday December 03, 2012 @03:02PM (#42171759)

    Oh sorry, it's because AMA (TM) is owned by reddit.

  • by concealment (2447304) on Monday December 03, 2012 @03:09PM (#42171861) Homepage Journal

    But Kaspersky’s rise is particularly notable—and to some, downright troubling—given his KGB-sponsored training, his tenure as a Soviet intelligence officer, his alliance with Vladimir Putin’s regime, and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB.

    http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/ [wired.com]

    Any comment on these allegations?

  • by Anonymous Coward on Monday December 03, 2012 @03:31PM (#42172101)

    How important will the process of choosing a "language-based system" be to ensure the security of the operating system (OS) you envisage? Choosing a type-safe language to create a memory-safe OS can help with the threats posed by the Internet or malware while also reducing some complex code used to get around a lack of type-safety in an OS. Will you be creating your own system or general purpose programming language to ensure this security in this way? If not, there are a few languages already available, or partially available, to choose from, Cyclone (an extension of the last version of C), Red/System (still under development), Euphoria (a system language with type-checking, and it uses simple words instead of punctuation to improve readability) and the combination of a type-safe Assembly that handles hardware and memory with managed C# that handles the rest of the kernel and the applications (like Microsoft implements in the Verve OS and might implement in a future Windows; that is, code-named Midori) .

  • by Anonymous Coward on Monday December 03, 2012 @03:45PM (#42172221)

    You've been in computer security a long time, and have seen many things come and go.
    DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else).

    What's changed? What's remained the same? What about the malware creators - has their motivation changed?
    Where do you believe things are headed?

  • by Fnord666 (889225) on Monday December 03, 2012 @03:52PM (#42172299) Journal
    I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you offer a version of your products that identified and disabled this spyware?
  • by lemur3 (997863) on Monday December 03, 2012 @03:55PM (#42172325)

    What brought about the move to sponsor the Ferrari Formula One Racing team in 2011 and 2012?

  • by HuguesT (84078) on Monday December 03, 2012 @04:04PM (#42172415)

    Of course, malware is making him rich and famous, how could it be otherwise.

    Other things E.K. loves: poorly conceived O/Ses ; lack of education in users ; and the status quo in matters of computer security.

    I'm personally convinced that anti-malware software is a useless hack. Without it, we would have moved away long ago away from easily hackable systems.

  • by Anonymous Coward on Monday December 03, 2012 @04:25PM (#42172577)

    It's well known that the K in Kaspersky stands for KGB. How tightly are you currently coupled to Russian intelligence, and what services do you provide to them?

  • by Muad'Dave (255648) on Monday December 03, 2012 @04:29PM (#42172615) Homepage

    What arm of the Russian mafia did you send to whack John McAfee's neighbor? :-)

  • by Anonymous Coward on Monday December 03, 2012 @04:41PM (#42172715)

    When Stuxnet originally came out, Symantec provided some amazing research. After Stuxnet, they have been amazingly silent on subsequent threats like Duqu, Flame, etc while your Russian company has provided details. Do you know why Symantec went silent?

  • by dave562 (969951) on Monday December 03, 2012 @04:46PM (#42172759) Journal

    This is kind of a two part question. Or more like one statement and one question.

    We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server farms, etc. If they go after OSX, they get a bunch of home computers and some audio visual professionals.

    Apple's market share is growing, and they also have converted their OS over to run on Intel chips. It now shares the same hardware base as PCs that run Windows. Given that all of the really advanced malware code (rootkits, polymorphism, etc) is written in Assembly, do you foresee any tipping point coming where OSX will be targeted on a large scale like Windows has been? Or is there simply not enough of a payoff there for the malware creators, given the ease of exploitation and wide spread deployment of Windows?

  • by wiedzmin (1269816) on Monday December 03, 2012 @04:54PM (#42172839)

    Are there any grounds to allegations that antivirus companies may be involved with creating malware, as a form of job security?

  • by magic maverick (2615475) on Monday December 03, 2012 @05:20PM (#42173107) Homepage Journal

    While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g. run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

  • by dhomstad (1424117) on Monday December 03, 2012 @06:33PM (#42173723)

    [Introduction] (My apologies for the long introduction to the question, but Slashdot only allows one!)

    Mr. Kaspersky,

    In the 1970's, following an Arab enforced oil embargo on Israel, the United States found itself a midst an energy crisis. President Jimmy Carter educated America on the Energy Crisis, warning that the issue could escalate into a national crisis, and equating the energy crisis "the Moral Equivalent of War." President Carter outlined 10 policies which touched on reducing demand through conservation, pushing for "predictable and certain" governmental policies, creation of a Strategic Petroleum Reserve, and development of new sources of energy.

    Fast forward to the 2010's, and America is in a similar economic condition. Unemployment is rising, economic rebound is uncertain, and inflation all but inevitable. I see the US government pointing fingers of blame at "China" (as if all Chinese hackers represent their state) targeting security vulnerabilities of private and public US companies' databases, which often hold valuable, private information on US citizens. I assume the US government either funding or assisting in the development of malware as a Tool for International Policy. The economic incentive towards hacking continually increases, yet no few steps are made to prevent it.

    [Question] Imagine you are President (any country in general, not necessarily the United States) - what policies would you put forward to curb this Security Crisis we are entangled in . I've read some snippets about the 'internet interpol' and 'internet ID,' but I'd like to offer you the opportunity to put forward a short, detailed plan (perhaps 5 or 6 bullet points) towards combating this Security Crisis. If you want to change any past statements, or add a little more substance to them, feel free.

    [Post Statement] I hope your own opinions have more sustenance than immature, ultra-libertarian view that government's role is to shrink into nonexistence, ridding the world of its evil. I understand the government is both extremely powerful, yet also inefficient in some cases. I like government, but only when the correct checks and balances are in place.

  • by Anonymous Coward on Monday December 03, 2012 @09:30PM (#42175153)

    With your experience in malware research. What percentage of malware in use today do you see as being from criminals vs how much is from rogue governments such as China or the US and how do you see that percentage changing over the next ten years? Technically two questions but they are deeply related.

  • by slashmydots (2189826) on Monday December 03, 2012 @09:44PM (#42175241)
    Why did the 2012 version get so unbelievably bulky and slow when everyone knows that has killed dozens of antivirus products in the past? At the same time, the kings of bulky and slow, Symantec, improved their product so much it's not virtually the fastest. My shop would never carry them because I hate them to an unbelievable degree but now we don't carry Kaspersky either. It's just too detrimental to performance. What happened?
  • by Anonymous Coward on Monday December 03, 2012 @10:15PM (#42175423)

    Mr. Kaspersky,

    Your position running a leading high technology company out of a former Iron Curtain country gives you a unique perspective combining a deep knowledge of information technology with a deep local knowledge of the strengths and weaknesses and possibilities in the largest country in the world. Please spell out for us how Russia could become the dominant country in high tech by the end of the 21st century, displacing Silicon Valley, by making the best use of various local strengths. Please focus your answer on educating us about the resources which Russia has in it`s people, it`s institutions, and it`s society. This is not a question about whether or not this will happen, but a question about what things exist today in Russia in an early stage which could lead to a great leap forward if they are managed correctly.

    I believe that Russia is unfairly characterized in the English language media by journalists who do not really understand the richness and variety of the that they are writing about. Please enlighten us.

  • by Aryeh Goretsky (129230) on Monday December 03, 2012 @11:15PM (#42175773) Homepage

    Hello,

    If there was one piece of behavior you could change in home Internet users, what would it be?

    Regards,

    Aryeh Goretsky

  • by MultiPak (2475794) on Tuesday December 04, 2012 @09:00AM (#42178089)
    Considering the level of suppression and corruption at all levels in Russia (as compared to EU), how can you guarantee your customers safety when many International businesses cannot justify operating in Russia.
  • by AmiMoJo (196126) * <mojoNO@SPAMworld3.net> on Tuesday December 04, 2012 @09:18AM (#42178217) Homepage

    Most commercial AV software is pretty slow and bogs down your system. In comparison Microsoft Security Essentials doesn't. The argument has always been that MSE and similar light weight AV software won't give you 100% protection, but is the extra 0.1% worth the weight of a full "internet security" suite?

  • by Nothing2Chere (1434973) on Friday December 07, 2012 @01:24AM (#42212799)
    Why is the Management Server software as crap as it is?

Going the speed of light is bad for your age.

Working...