Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Software IT Politics Your Rights Online

Interviews: Ask What You Will of Eugene Kaspersky 115

Posted by timothy
from the make-his-day dept.
Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.
This discussion has been archived. No new comments can be posted.

Interviews: Ask What You Will of Eugene Kaspersky

Comments Filter:
  • by eldavojohn (898314) * <eldavojohnNO@SPAMgmail.com> on Monday December 03, 2012 @12:21PM (#42170561) Journal
    I feel like when someone is as deep in malware protection as you are, you're basically running malware and, I assume, developing malware or finding exploitable aspects of software. I notice you "discover" a lot of malware but I don't recall seeing you publish any exploits. How much malware development do you do? Any at all? Is there anyone in your company that attempts to mimic what other malware does so you can better understand it? Do you feel like that is a necessity in the field of malware protection?
  • by whizzter (592586) on Monday December 03, 2012 @12:23PM (#42170595) Homepage

    Sorry could not resist :)

  • by eldavojohn (898314) * <eldavojohnNO@SPAMgmail.com> on Monday December 03, 2012 @12:28PM (#42170649) Journal
    Recently you confirmed you're working on an exploit-free OS [kaspersky.com] following all the SCADA attacks. Among other things, you're claiming it is to be written from scratch [securelist.com] but I can't find many details on what it's going to look like architecturally. You say:

    Architecturally, the operating system is constructed in such a way that even a break-in into any of the components or applications loaded onto it won’t allow an intruder to gain control over it or to run malicious code.

    Could you expound on this? Are you writing this code or still in the design phase? Or better yet, could you compare it to something like, say, CentOS or Debian and tell us how your architecture is going to be more secure? I understand you're scoping down the requirements of your OS to be more easily manageable but the skeptic in me feels like it just can't be done. The cat and mouse game must be played in some form or fashion.

    • by Synerg1y (2169962)
      Not an OS in the traditional sense. It's mission specific firmware code tailored for single purposes. They're in for a nasty surprise when they discover that not all industrial systems are set up in the same manner, time period, or with the same risk scope.
      • by vlm (69642)

        Not an OS in the traditional sense. It's mission specific firmware code tailored for single purposes.

        So.... its freedos run as virtualization images? An awful lot of embedded work got done before modern OS and its still getting done more or less despite them.

        • by anubi (640541)
          I wonder how a RTOS like Micrium's uCOS [micrium.com] holds up to this.
          • by vlm (69642)

            I don't think RTOS like being virtualized very much. Overhead. I use linuxcnc on my milling machine and the devs make a big deal out of microseconds.

      • by Elbereth (58257) on Monday December 03, 2012 @01:35PM (#42171389) Journal

        Well, yes, but I think Kaspersky is advocating that we swing the pendulum in the opposite direction: instead of making trade-offs against security, we make a niche OS that makes all of its trade-offs in favor of security, trying to keep in mind the specific needs of industrial control systems. He's also advocating -- if you'll forgive me -- a paradigm shift, in which security becomes the mantra, rather than stability. This is unsurprising, coming from a security professional. I can't say whether he's an ideological fool or a visionary, but they are not mutually exclusive.

        Of course, convincing people to use an operating system that made all of its trade-offs against ease-of-use, backwards compatibility, features, and stability may end being even harder than writing it.

        • Of course, convincing people to use an operating system that made all of its trade-offs against ease-of-use, backwards compatibility, features, and stability may end being even harder than writing it.

          Nah, it's not hard to convince people that matter to use the operating system. Or, rather, I should say that shouldn't be a goal to get mainstream adoption. I too am creating a secruity focused operating system from scratch -- Uses separate isloated call stacks rather than place data and code pointers in the same stack, and some other tricks to keep code pointers in heap data structures from being modified. My design calls for a different compilable programming language other than C as a base because C's

        • I think stability is very important, finding system instabilities is often an easy way to find security exploits. Also, if the system crashes it's essentially a DOS attack, whether or not the attacking entity is a human or random chance.

          And there already is a niche OS that makes all of its trade-offs in favor of security, it's called OpenBSD. It's BSD licensed, so could be a good starting point for an industrial control OS focused on security and stability.
  • Did... your special relationship with Russias former KGB help secure your son, or would any Russian have received that promt service?
  • by chill (34294) on Monday December 03, 2012 @12:31PM (#42170685) Journal
  • by lister king of smeg (2481612) on Monday December 03, 2012 @12:34PM (#42170711)

    You plan on making a secure OS for for industrial/infrastructure systems do you plan on basing it on preexisting open kernals, BSD, Linux, Haiku, Mach. Will it be a Unix/Posix like? will it be a monolithic or micro kernal? or are you think of more of hypervisor that host and monitor the guest os for the scada systems?

  • by davecrusoe (861547) on Monday December 03, 2012 @12:37PM (#42170737) Homepage

    There's much talk about combating malware through technical solutions (e.g., adding transparency to communication, building increasingly sophisticated scanning systems, etc).

    But what interests me is what we should be teaching our young people (students, in primary and secondary school) with respect to the expertise we wished that all adults possessed.

    In your estimation, what are 2-3 things that, if young people understood well, would help them excel in the face of cyber adversity (e.g., malware, privacy theft, etc)?

    --Dave

  • Online anonymity (Score:5, Interesting)

    by gallondr00nk (868673) on Monday December 03, 2012 @12:42PM (#42170815)

    Recent protest movements and the Arab Spring have shown that the ability to use the Internet anonymously is crucial to organising resistance and circumventing censorship or oppression. In light of that. have you modified your views on the "Internet ID"?

  • by csumpi (2258986) on Monday December 03, 2012 @12:42PM (#42170817)
    What's the easiest way to wipe all the Kaspersky bloat/trial/crapware from new Windows machines?
    • by jandrese (485)
      I've never seen an OEM PC with any Kaspersky stuff on it.
      • Received it today:

        Description: VAIO S Series 15 Custom LaptopComponent: 750GB (7200rpm) hard drive
        Component: 3rd gen Intel® Core i7-3632QM quad-core processor (2.20GHz / 3.20GHz with Turbo Boost)
        Component: NVIDIA® GeForce® GT 640M LE (2GB) hybrid graphics with Intel® Wireless Display technology
        Component: Windows 8 64-bit
        ...
        ...
        Component: Internal lithium polymer battery (4400mAh)
        Component: Kaspersky® Internet Security (30-day trial)
        Component: Black
  • According to Wikipedia [wikipedia.org], Natalia Kaspersky, former CEO and co-majority shareholder of Kaspersky Lab released a statement supporting Russia's interest in a countrywide firewall similar to the Great Firewall of China. The definition of 'malware' I most prefer is "Software that is intended to damage or disable computers and computer systems." I see implementations like countrywide firewalls to be little more than disabling computers and computer systems by limiting their ability to connect to other computers. Would you care to comment on why government malware is okay or even desired? Would you care to refute Natalia's position that appears in Kaspersky Lab's Wikipedia article?
  • by AaronLS (1804210) on Monday December 03, 2012 @12:45PM (#42170851)

    Do you believe everyone could be issued an ID, and still remain anonymous? What I mean is, I believe that you could ensure each of your users is unique, but not necessarily know who they are. If everyone is issued a certificate signed by some trusted authority, one could verify that the certificate is valid, without the certificate exposing the information about who you are. You could even have a scheme that lets the authority issue you multiple IDs, but only one for each unique ForUseWithDomain attribute, such that if you wanted to keep your identity from being correlated across different sites, you could do so. This could probably even be automated.

    This would ensure that if you banned a malicious user from your site, they wouldn't be able to come back without compromising someone else's certificate. Yet, you still get a high level of anonymity.

    Sites that require non-anonymous access could deny anonymous certificates, and require that you authorize access to full name perhaps. This would be like OpenID in the way it will prompt you for a site requesting additional information, like your email.

  • by Anonymous Coward on Monday December 03, 2012 @12:46PM (#42170857)

    In a small Latin American country like Belize. You've gone on the run, the police are hunting you and your options for escape are coming up short. You've started a blog to discuss your situation, but no external entities have helped. What's your next step?

    -- John

  • by Zaphod-AVA (471116) on Monday December 03, 2012 @12:47PM (#42170863)

    Malware continues to be successful despite our current efforts. Why do we continue to use the same failed security model? Automated white listing seems like a better answer to modern security problems.

  • For a life of adventure? It seems to be the in thing for writers of AV software these days.

  • What's... (Score:3, Insightful)

    by Antipater (2053064) on Monday December 03, 2012 @12:51PM (#42170913)
    your favorite brand of vodka?
  • If you're in favor of "mandatory internet ID" as the summary says, what form should that take? I have been an advocate of fixed IP addresses for everyone, but would something like that be sufficient? I realize there may be issues with mobile devices, but in principle does a fixed IP come close to what you're in favor of? Or is it something much more complex?
  • by swb (14022) on Monday December 03, 2012 @01:00PM (#42170991)

    Does Kaspersky have a relationship with the Putin administration or the FSB?

    Do either of these organizations have any influence on the business practices or technology of Kaspersky antivirus?

    Should a security minded person be concerned with the geographic origin of security software?

  • Ken Thompson's Hack (Score:5, Interesting)

    by Sarten-X (1102295) on Monday December 03, 2012 @01:04PM (#42171031) Homepage

    One of the threats I expect to see more of is in the vein of Ken Thompson's hack [bell-labs.com], where a compiler (or any other build tool) hosts a trojan and infects other programs it compiles (or links, assembles, etc.) practically undetectably. With open-source software taking an ever-more-vital role in the Internet's core systems, will this kind of attack be easier to detect (perhaps due to the widespread availability of still-clean compilers), or more difficult (perhaps due to the wide network of trusted developers)?

    • Mentions of Ken Thompson's Reflections on Trusting Trust should also mention David A. Wheeler's "Fully Countering Trusting Trust" [dwheeler.com] which provides a means of identifying and resolving a malicious compiler.

    • well you could in the case of a open source compiler read the source or if you don't have the expertise in that are hire a(team of) code analyst / auditors / programers. you could also compare the binaries of two different standard complaint compilers that have compiled the same code on the same hardware. you also write you own compiler and boot strap you own system from source ala gentoo/linux from scratch

      • by eer (526805)

        No, actually, you can't. Its computationally infeasible to find deliberately hidden malware in a body of code, whether source or object. So no amount of analysis and/or testing can ever reliably tell you whether in fact your existing system is corrupt. You can only accomplish that by starting with a formal set of requirements that you can then successively refine into code that is (a) minimal, and (b) demonstrably maps directly to your formal specifications and their requirements. Any excess beyond what

  • Mr. Kaspersky are you safe?

    Your operating out of the same country that has a ton of botnet operators and raking in some decent dought with cheap pharmaceutical sales thanks to people desperate or naive enough to do so.

    There are have been some interesting stories hailing from your corner of your world. How do you feel with your ability to run your company the way you want and without any threats to you or your staff?

  • I was surprised that companies don't rig the install disc to be self booting anymore Why is this??

    would not be a problem but an updated bootable copy seems to be either Vodoo or in the form of download a full copy every time

  • Internet X meme (Score:5, Interesting)

    by vlm (69642) on Monday December 03, 2012 @01:17PM (#42171173)

    You seem to support the "Internet X" meme where X is whatever we have in the physical world. ID, passport, voting, interpol, perhaps others. Why?
    I mean we are all techies here, OK, so we don't have to act all "marketing" with each other about our new "selling dog food over the internet" patent and so forth.

    I've got a perfectly good ID in the physical world that I share with amazon.com called my postal addrs and my CC number, and we're both perfectly happy with that situation. I've got a perfectly good paper and ink passport for crossing international borders, an internet one seems pointless. I/we have an Interpol who already handle crime about as well as any multinational police force could ever hope to, so I'm unclear what one on the internet would do that the real one isn't already fully responsible for. I have a perfectly good voting site 2 blocks from my house where I can vote in person using optical scanned ballots in perfect safety for like 12 hours on voting day, with no intimidation, and very limited to non-existent corruption because there's both a paper and ink ballot and an instant optical scan, what needs fixing about that or moving to the internet?

    You've listed some things that have evolved over time to, basically, work pretty well. What is the point of lets replicate that "... on the internet"? Wouldn't we be all better off if we just improved the real Interpol, instead of making a second shadowy clone? Or improved voting, not just "add internet voting". Or improved ID, not "add another form of ID to be stolen"?

    Or looking at it another way, why not "Internet X" where X is stuff that doesn't work. Health care. Taxes. Politics. Debating.

    I don't see this as a strictly financial self interest question, for example you can probably make as much dough, or more, selling to the real Interpol as selling instead to a shadowy secondary clone. What do you care what the name on the invoice is?

    From a techie perspective I/we see this as weird. Say my video card is getting slow/flakey. I could fix the one I have by blowing the dust off the fan, but, naah I'll get a shadowy secondary video card that is a mystery and not nearly as debugged, and try to get them to work in parallel... No that's just now how techies work. We know better.

    So why "Internet X"? Not just "improve X"?

  • criticized for ties to the current Russian government.

    You'll have to give me a break because all the links WRT this topic in our provided summary were 404 when I checked a couple seconds ago, so if I mischaracterize anything then its all timothy's fault.

    Anyways WRT to corp govt relations, I'm guessing the model of the disagreement is:

    In the US the corps completely own and control the govt and no other groups or individuals have any input or control over the govt, and we expect everyone else to live that way, but in .ru, the relationship is not quite as central

  • Many pieces of software and hardware used in Healthcare are required to pass FDA certification, especially in areas like radiology. Often times, these vendors report that because they are certified on a certain patch level, these systems cannot be patched without losing that certification. Do you see any solutions to the current state of industry-specific software's seeming lack of quality, updates and security?
  • by eer (526805) on Monday December 03, 2012 @01:27PM (#42171295)

    Given the the long established history with reference monitors and Class A1 design, will your from-scratch OS follow TCSEC (Orangebook) guidance so as to provide verifiable assurance that no trap doors or Trojan horses exist in the code? If not, what is your approach, instead?

  • Who is winning? (Score:3, Interesting)

    by Anonymous Coward on Monday December 03, 2012 @01:28PM (#42171297)

    Mr. Kaspersky,

    Who is winning the Cyberwar?

  • Give the long established practice in high assurance computer systems design to use segments to represent base-level security objects (so as to maximize alignment of hardware-enforced security policies with promised protections of the objects), will your new OS design rely on segments to represent security objects, or if not, what hardware abstraction will you use, instead?

  • by concealment (2447304) on Monday December 03, 2012 @02:09PM (#42171861) Homepage Journal

    But Kaspersky’s rise is particularly notable—and to some, downright troubling—given his KGB-sponsored training, his tenure as a Soviet intelligence officer, his alliance with Vladimir Putin’s regime, and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB.

    http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/ [wired.com]

    Any comment on these allegations?

  • by Anonymous Coward

    You've been in computer security a long time, and have seen many things come and go.
    DOS/bootsector viruses, Windows viruses, macro viruses, rise of worms to replace them, and now the commercialization of malware with botnets, extortion-ware and the targeted weaponised malware like the one that hit Iran (and who knows what else).

    What's changed? What's remained the same? What about the malware creators - has their motivation changed?
    Where do you believe things are headed?

  • by Fnord666 (889225) on Monday December 03, 2012 @02:52PM (#42172299) Journal
    I assume that various state sponsored agencies provide you with their "research" tools and ask that you not detect them with your products nor should you interfere with their operation. To what extent does this happen, to what degree are you "asked" to comply, and to what degree are you forbidden to discuss this topic? Do you, or if you had the opportunity to do so without repercussions would you offer a version of your products that identified and disabled this spyware?
  • What brought about the move to sponsor the Ferrari Formula One Racing team in 2011 and 2012?

  • Of course, malware is making him rich and famous, how could it be otherwise.

    Other things E.K. loves: poorly conceived O/Ses ; lack of education in users ; and the status quo in matters of computer security.

    I'm personally convinced that anti-malware software is a useless hack. Without it, we would have moved away long ago away from easily hackable systems.

  • What arm of the Russian mafia did you send to whack John McAfee's neighbor? :-)

  • This is kind of a two part question. Or more like one statement and one question.

    We see Apple growing in market share and one of the memes that has been accepted by a large part of the community is that Apple is not targeted by malware authors in part because the return on investment is not as high as it is for Windows machines. To put it another way, if a malware author targets Windows they get millions of home users, but more importantly, they also have the potential to infect corporate systems, server

  • Are there any grounds to allegations that antivirus companies may be involved with creating malware, as a form of job security?

  • by magic maverick (2615475) on Monday December 03, 2012 @04:20PM (#42173107) Homepage Journal

    While MS Windows is the most common computer OS around, there are obviously many others. For your personal use, what is your main OS, and how do you keep it secure (do you, e.g. run MS Windows with anti-malware software, or do you run Ubuntu Linux with the defaults)? Is this a setup that you would suggest for others, or is it too esoteric?

  • [Introduction] (My apologies for the long introduction to the question, but Slashdot only allows one!)

    Mr. Kaspersky,

    In the 1970's, following an Arab enforced oil embargo on Israel, the United States found itself a midst an energy crisis. President Jimmy Carter educated America on the Energy Crisis, warning that the issue could escalate into a national crisis, and equating the energy crisis "the Moral Equivalent of War." President Carter outlined 10 policies which touched on reducing demand through conserv

  • With your experience in malware research. What percentage of malware in use today do you see as being from criminals vs how much is from rogue governments such as China or the US and how do you see that percentage changing over the next ten years? Technically two questions but they are deeply related.

  • Why did the 2012 version get so unbelievably bulky and slow when everyone knows that has killed dozens of antivirus products in the past? At the same time, the kings of bulky and slow, Symantec, improved their product so much it's not virtually the fastest. My shop would never carry them because I hate them to an unbelievable degree but now we don't carry Kaspersky either. It's just too detrimental to performance. What happened?
  • Mr. Kaspersky,

    Your position running a leading high technology company out of a former Iron Curtain country gives you a unique perspective combining a deep knowledge of information technology with a deep local knowledge of the strengths and weaknesses and possibilities in the largest country in the world. Please spell out for us how Russia could become the dominant country in high tech by the end of the 21st century, displacing Silicon Valley, by making the best use of various local strengths. Please focus y

    • by bytesex (112972)

      You're doing what annoying people sometimes do at conferences: disguising an overly pompous and wordy opinion as a question. Don't do that.

  • by Aryeh Goretsky (129230) on Monday December 03, 2012 @10:15PM (#42175773) Homepage

    Hello,

    If there was one piece of behavior you could change in home Internet users, what would it be?

    Regards,

    Aryeh Goretsky

  • Considering the level of suppression and corruption at all levels in Russia (as compared to EU), how can you guarantee your customers safety when many International businesses cannot justify operating in Russia.
  • Most commercial AV software is pretty slow and bogs down your system. In comparison Microsoft Security Essentials doesn't. The argument has always been that MSE and similar light weight AV software won't give you 100% protection, but is the extra 0.1% worth the weight of a full "internet security" suite?

  • Why is the Management Server software as crap as it is?

Real Programmers think better when playing Adventure or Rogue.

Working...