Why do threat modeling when you can split into warring factions, after all?
I cannot for the life of me understand why this debate is getting so fraught, because it’s really quite straightforward. This has next to nothing to do with the personal character of Yevgeny Kaspersky. I don’t know him and I don’t feel myself qualified to comment on him, although for what it’s worth he did attend the KGB’s technical college. It has everything to do with:
- your supply chain
- the personal character of Vladimir Putin
- the character of Vladimir Putin’s alleged government
Being nervous about Kaspersky doesn’t require that you think Yevgeny is a devious KGB assigned to infiltrate the networks of Russia’s adversaries by cunningly producing a high-quality security product. That’s goofy. Most likely Yevgeny is exactly what he says he is, and none of that matters, because Putin is a mafia thug. Kaspersky lives in Russia, his family lives in Russia, the families of most of his employees live in Russia, and the supply chain originates in Russia, all within reach of Vladimir Vladimirovich’s mafia thuggery.
There’s a lot of RUMINT out there regarding intel collaboration with the FSB and backdoors etc, but the truth-value of the RUMINT is beside the point. Even if, as is likely, Kaspersky products are not backdoored now, there is reason to fear that in the future the Russian government may choose to compel cooperation, either through financial or physical intimidation.
Now that real-time updates are the bread-and-butter of security products, I’m curious to know how the anti-anti-Kaspersky crowd plans on defending against some future backdoor. This is not a hypothetical: you may remember Russian intelligence owned MEDoc’s update servers and used it to push out a little exfil-and-wipe program called Nyetya to anyone who pays taxes online in Ukraine. It was pointed out on last week’s Risky Business that aside from the security products, Kaspersky has been developing a secure operating system for various kinds of critical infrastructure, which presents an even bigger threat than Nyetya-esque attacks. In a world in which CRASHOVERRIDE already exists, I’m not sure I want to make infrastructure attacks easier for any state-level actor.
So no, it is not “Russophobia” to suggest that perhaps it’s not the wisest idea to run Kaspersky products on natsec and other critical infrastructure. Don’t be horrible: people like me who are worried about Kaspersky products are worried about a situation in which threat of violence is used to force Yevgeny to play ball. Shut the fuck up and do your threat modeling.