Regarding Kaspersky

Why do threat modeling when you can split into warring factions, after all?

I cannot for the life of me understand why this debate is getting so fraught, because it’s really quite straightforward.  This has next to nothing to do with the personal character of Yevgeny Kaspersky. I don’t know him and I don’t feel myself qualified to comment on him, although for what it’s worth he did attend the KGB’s technical college. It has everything to do with:

  1. your supply chain
  2. the personal character of Vladimir Putin
  3. the character of Vladimir Putin’s alleged government

Being nervous about Kaspersky doesn’t require that you think Yevgeny is a devious KGB assigned to infiltrate the networks of Russia’s adversaries by cunningly producing a high-quality security product. That’s goofy. Most likely Yevgeny is exactly what he says he is, and none of that matters, because Putin is a mafia thug. Kaspersky lives in Russia, his family lives in Russia, the families of most of his employees live in Russia, and the supply chain originates in Russia, all within reach of Vladimir Vladimirovich’s mafia thuggery.

There’s a lot of RUMINT out there regarding intel collaboration with the FSB and backdoors etc, but the truth-value of the RUMINT is beside the point.  Even if, as is likely, Kaspersky products are not backdoored now, there is reason to fear that in the future the Russian government may choose to compel cooperation, either through financial or physical intimidation.

Now that real-time updates are the bread-and-butter of security products, I’m curious to know how the anti-anti-Kaspersky crowd plans on defending against some future backdoor.  This is not a hypothetical: you may remember Russian intelligence owned MEDoc’s update servers and used it to push out a little exfil-and-wipe program called Nyetya to anyone who pays taxes online in Ukraine.  It was pointed out on last week’s Risky Business that aside from the security products, Kaspersky has been developing a secure operating system for various kinds of critical infrastructure, which presents an even bigger threat than Nyetya-esque attacks.  In a world in which CRASHOVERRIDE already exists, I’m not sure I want to make infrastructure attacks easier for any state-level actor.

So no, it is not “Russophobia” to suggest that perhaps it’s not the wisest idea to run Kaspersky products on natsec and other critical infrastructure. Don’t be horrible: people like me who are worried about Kaspersky products are worried about a situation in which threat of violence is used to force Yevgeny to play ball. Shut the fuck up and do your threat modeling.


The Palestine Principles

I used to live in Jerusalem, for my sins, and when we finally got out of there, my friends and I set to work finding the general cases for the lessons we’d learned about surviving as politically questionable expats in an occupied city.  If you’re a middle-class young person from a G8 country, living at the mercy of what is often referred to merely as the Situation or somewhat more theologically as the Inshallah Factor has a bit of a learning curve to it.  While we were on the spot, the Moscow Rules had been bandied about a lot, so we tried to get our list down to ten, for symmetry.  Our rules were these:

  1. Everything is political, including this rule.
  2. The true partisan can rationalize anything.
  3. Assume nothing.
  4. Keep a low profile.
  5. It never goes smooth.
  6. Never go against your gut.
  7. Have an exit strategy.
  8. Technology is your enemy.
  9. Don’t try to disrupt known surveillance.
  10. Whatever you did, you’ll hear about it at the border.

When we wrote them, we meant these for the unaffiliated foreign bystander in places like the West Bank or Ukraine, but someone had proposed a general theory that once 1 and 2 held good in a society, it was only a matter of time before the rest would start to apply as well.  It’s starting to look like we’re going to find out.