Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.
What makes you sure the malware described here is the same as the one you read about before? After all, GitHub isn't limited to one malware campaign at a time.
The structure of the archive looked very similar to the sample I was analyzing.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
This is dated February 24, which is before I noticed all these other investigations hitting Reddit and HN. Seems maybe they were just piggybacking off Kaspersky
> It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
The amount of developers I've met who will just download, compile, and run stuff from GitHub in the same way as if it was closed-source, i.e. paying no attention to the fact that the source is available for inspection, is surprisingly many.
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
They could build an optional "risk score" that open-source community-oriented projects could turn on. It could include requirements like having something dependabot-esque along with CodeQL enabled. Rules could be created for CodeQL (if they haven't already) that check for obfuscated code, suspicious access (keychain, password storage, etc.) and other items.
On top of that it could have forced release binary scanning via VirusTotal/insert-malware-scanning-vendor-here.
This is the problem, the best we can do is pay via exposure. But that actually ain't nothing. Not just individuals, but also orgs could then make money from private contracts based on their reputations? This should be the benchmark of trust. Could there be anything better?
Excellent question. No, I am not. I am just attempting to use my very limited knowledge on this subject to hopefully further discussion on a topic that feels really important.
I would love other people to jump in and elevate this conversation.
Sure, CVEs might not be the ideal metric. Could you, or anyone else, suggest a better metric?
If GitHub is too lethargic to do even contemplate this type of change, maybe this could be a differentiator for GitLab?
No it won't. I could write you very basic, obvious malware that is obfuscated just enough for copilot to miss it 100% of the time. Let alone things like what JiaTan wrote.
Of the 351 malicious repositories in the spreadsheet somebody linked, only 4 have more than 10 stars. None of them have more than 30 stars, and none of them have more than 3 forks. None have more than 5 issues, and only 4 have more than one issue.
You don't have to assume that the code is community-vetted. If a repository has at least a couple hundred stars, lots of forks, and an active pull request cadence, then you know that at least some people have gone digging through it.
If not, then that's when you should break out the sandboxing tools and prepare to check the code yourself. At least it should be easy-ish to automatically check/block everything that has the potential to open a network connection, which defeats most profitable malware models.
You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
I don't get it, is there priviledge escalation attacks for windows? I haven't logged in as an administrator since 2005 or so.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
They can - if you write the sandbox and adapt applications to it. What I meant is that the sandbox should be built-in into a distribution.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
Unless there is a comment "this code is actually safe, it's done this way for optimizations", or a variable called "thisCodeIsSafeItLooksWeirdForPerformance" and the LLM just ignores the backdoors.
Over the past few years, I've seen several github projects that won't build because they rely on private libraries that are downloaded at run-time. I've opened a few of the downloaded libraries, and they're always innocuous. Often, they are just compiled versions of source in a different repo under the same author. But, that mechanism could easily swap the library for a trojan.
It's really absurd how many of these are out there in the wild. Scary really.
Well it all comes down to trust eventually, you cannot inspect every single line of code of every programs you want on run on your computer.
Nowadays even Github stars are not worth that much trust because malicious actors can just make fake accounts or buy them.
The number of new GNU/Linux distros that have appeared since 1994 that just compile stuff into binary packages not even paying attention to the fact that the source can be inspected, is just staggering.
I don't see any hint on how to recognise, or how not to recognise them. Did the projects have lots of stars? Fake issues and pull activity? What kind of software did they claim to be? Did they work, to avoid it being obvious after executing and the user reporting the repository to Github? How hard was it to spot the malware, underhand C contest level or obvious if you just open the right file (among hundreds, I guess) and see it do illegitimate things?
All it says is that the projects were written in different common languages...
Honestly, whenever some malware like this is revealed, that just makes me wish for more sandboxing and alerting in OSes. For example, each app getting its own writable directory structure and access to anything else needing to be explicitly granted by the user.
It would require work to make the UX not be horrible, but that's a solvable problem. The fact that we don't have that in mainstream OSes in $CURRENT_YEAR given the security situation of the software out there, is insane.
Optional app sandboxing that does what you're talking about already exists on every major OS, disregarding Linux distributions that don't have Flatpak. Seems to me it's less a UX problem and more cultural: a critical mass of developers take the easy way and users learn to ignore the alerts. Android has the same problem with the "all files access" permission. The one platform where this works, iOS, has a totalitarian ruler that requires all apps to be sandboxed and not request gratuitous permissions.
To really get around the culture problem you would need an OS that lacks the concept of undeclared data sharing between different packages.
Kaspersky is now banned for government use in multiple nations. Whilst there is some good work happening there, as above, for the most part, they should be considered a state actor for Russia.
That usually means that they're a threat, and these small good tokens are nothing more than PR efforts.
You can't avoid politics, when considering this company.
All cyber security companies should be considered state actors. Even if they currently aren't it's too easy for a state to coopt them.
If you build an antivirus software today, and tomorrow you get a secret court order to ignore certain malware for "national security" what are you going to do? What if it's a request to include a small binary payload in return for a lucrative government contract, with implied threats of what happens if you leak the request? You can decide not to do it and just shut down, but then the only ones left on the market are the ones that complied.
If you do cyber security for more than just compliance, evaluating the software providers against your threat model was always an important step. Whether that means avoiding American, Chinese or Russian software. In the threat model of a Western government agency, Russian software should have have been off limits since the 50s (even if Kaspersky tries to tell you they are not Russian at all).
That still doesn't mean their work is any less interesting or praiseworthy. Just like how you know NASA landed on the moon because Roscomos didn't dispute it, Kaspersky can do work and offer perspectives that might be more difficult for similarly sized western cyber security companies.
Australia's Assistance and Access Orders (TAN, TCN, etc.) [0] basically allow the government to order mandatory backdoors into various software. They do have some oversight, but it isn't significant. They can order any employee, not just the company.
The wording is also... Squirelly. You can't introduce a weakness, but the definition of weakness excludes the entire concept of backdoors.
However, Technical Capability Notices can be ordered where:
> reasonable, proportionate, practicable and technically feasible
The employee/company can push back and argue one of those isn't met, but ultimately it is the office of the Governor General that decides.
So far, it has basically only be used against journalists [1], as far as we know, which is nice and horrific.
Maybe don't put too much into the word "court order", but instead interpret it as an order from the government to force the company to use the tool for the governments/country's benefit.
One could also assume that the owners and/or management of the company are in the same boat as the government/country so they do not mind using the tool for the country's benefit when needed.
It is not very fair singling out Kaspersky and assuming that other AV companies are not a threat to foreign countries. Foreign software and hardware is always a threat. And US was caught spying even on their allies.
> The US, while hardly benign, have not orchestrated multiples of "largest attack in history"
You must be using a very personal interpretation of what "largest attack in history" is.
The US is literally the owner and operator of the largest surveillance and intelligence collecting apparatus in the history of mankind. I bundle in here all kinds of legal and illegal surveillance, interceptions, hacking, etc. directly state run, or leveraging other intelligence agencies, or leveraging the largest private data collectors in the world which are mostly US companies. It was already proven by the Snowden leaks, it's absolutely reasonable to assume this apparatus only grew stronger.
If that's not a never ending "largest attack" on everyone in the world I don't know what is.
You can't ignore this fact: The US and Australia partner on Pine Gap, which violates the human rights of literally billions of human beings every single second of the day.
Russia and China have a long way to go to catch up.
Sorry, but that's crazy exaggeration. Calling snooping "violation of human rights of literally billions of human beings" just because "privacy" gets a mention in the UNDHR doesn't make it as bad as anything Russia and China have done lately. And that's not even touching upon what "privacy" would mean that that declaration.
Privacy is a key human right that should not be abrogated by the state, ever.
Fundamentalist-authoritarian chauvinism for your own state is no justification for these human rights violations - assuming of course you are a citizen subject of the criminal 5-eyes alliance ... If you cannot imagine it being okay for other states to harvest your data, you should not be okay with your state doing it, either.
You know why? Because violating your privacy without recourse is how states ramp up to commit genocide and other atrocious crimes against human beings, whether their citizens or otherwise, by a process through which the states ruling classes deem their victims inferior and thus subject to attention by further repressive state apparatus.
Mass harvesting billions of human beings data every single second of the day, without their permission, is therefore a heinous crime against humanity and a massive violation of human rights at scale - especially when its being done by a violent, belligerent state with the blood of literally millions of human beings lives on its hands. Or do you really think that China and Russia have murdered as many civilians as the USA and its minion states have done, this century, in one illegal war after another?
With the Pine Gap apparatus, the USA is primed with information about who to target in its victim states. It is a key method by which effective mass murder can be manifested in illegal wars - of which, the USA is the undisputed leader, this century.
Just by way of a single example - the Holocaust was made feasible by the mass harvesting of private citizens' data by IBM. Is this not well understood, today?
Would you be 'okay' with Russia and China operating their own Pine Gap, since "its no big deal to 'just be snooping a little (a lot of) data'"? Would you be 'okay' with your own state knowing absolutely everything about you without your knowledge or control, now .. or in the future, when perhaps your political attitude changes as you grow older?
You most likely wouldn't be happy with China and Russia doing this, even though they have not murdered as many innocent human beings on the basis of lies in one illegal war, after the other, as the USA and its war-crime committing cohorts have.
> Privacy is a key human right that should not be abrogated by the state, ever.
Nonsense. The state definitely has the right to seek out criminal and undermining elements. Better, a democratic state has the obligation to do so.
> Would you be 'okay' with Russia and China operating their own Pine Gap
They do. And there's nothing I can do against it.
> even though they have not murdered as many innocent human beings on the basis of lies in one illegal war, after the other, as the USA and its war-crime committing cohorts have.
Oh dear, aren't we rabidly anti-West today? I wonder how you square that with your "Privacy is a key human right that should not be abrogated by the state, ever." stance.
> Or do you really think that China and Russia have murdered as many civilians as the USA and its minion states have done, this century, in one illegal war after another?
Why the sudden switch to "this century"? Your argumentation is switch-and-bait throughout. But China probably has perhaps already murdered more Uygurs, and if we add its "minion" Myanmar, they'll top it.
Or it means that the original bans were primarily instituted because of myopic geopolitics and not because of any meaningful threats. In particular US ire towards Kaspersky grew rapidly after it was the only antivirus that picked up on NSA/'equation group' malware.
It's similar how the US banned all cooperation with China in space [1] because of some tropes about them being unable to do anything except steal American tech. That's why, to this day, there are no Chinese on the ISS. After that law China proceeded to develop, launch, and man their own space station, put a rover on Mars, and even carry out an unprecedented sample return mission from the dark side of the Moon, and just generally run circles around the US (except perhaps SpaceX) in space. Interestingly US researchers may not be able to access those Moon samples (which China shared with scientists worldwide) due to this stupid law.
Regardless what the original story behind the Kaspersky ban was, if you genuinely don't think that a Russian antivirus company represents a state-controlled threat to US organisations, public and private, in 2025 then I don't know what to say to you.
After the initial US allegations they moved their infrastructure and customer data over to Switzerland intentionally leaving them subject to both EU and Swiss customer data protection laws, and also opened up various hubs to enable interested parties to review their source code on demand, if desired.
I don't think every Russian company is conspiring against the US anymore than I think every US company is conspiring against Russia. In this case there's a clear and malicious motive for the US to want to block them that has nothing to do with threats, and they've gone way beyond any sort of reasonable standard to make it clear they have no ill intentions whatsoever.
Of course the problem is that proving you're not a witch is basically impossible, which is why innocent until proven guilty is a standard across the world, except when it comes into geopolitics when allegations are proof, leaving the accused parties to prove a negative.
Not if US and Russia become “allies”. Then UK/EU companies will become a bigger “threat”.
It should go even further e.g. you don’t want ARM installing backdoors on their chips and giving hostile foreign organizations like the MI6 access to vital American infrastructure, intelligence data etc. do you?
It might be the time to consider switching to Elbrus or at least mandating that all devices used by US government agencies have to use Intel’s chips.
I think the more prudent approach in the modern age is to simply assume that all states control organizations within their midst with the intention of posing a threat to citizens - foreign and domestic - and a misplaced trust in ones own state above all others is not only naive, but super dangerous.
If you're not holding your own government to the standards you apply to other states, you're putting yourself in danger.
Especially given the fact that the USA and its partners operates the largest, by far, information gathering/human rights abusing apparatus with well-known subversive purposes, by a long margin..
I agree with this, but would extend the distrust to all concentrations of power. Supremely wealthy corporations and individuals, although on their own lacking the state’s monopoly on violence, eventually co-opt the state through regulatory capture or other means (although they can ruin lives even without the state’s power). See Elon Musk for a particularly vivid contemporary example.
Increased collaboration between the Russian state and the American state is bad for the ordinary citizens of both — and for freedom-loving people in Ukraine, Europe, and everywhere else.
The US and Russia are the biggest nuclear powers in the world. Positive relations here are good for absolutely everybody. Positive relations do not mean one has to approve of the political system, ideology, or whatever else of the other side. See: Saudi Arabia which remained a key ally for many decades in spite of being wayyyyyy further off the spectrum (relative to the US) than Russia could ever be.
Overtly adversarial relationships trend towards violence, sooner or later, and that's not a path we ever want to go down.
The US has turned towards enabling Russia’s imperialist war, and the Pentagon article explains how it will unilaterally disarm in the face of Russian cyberwarfare, leaving Russian criminal groups to run rampant in Europe and even the US. Abetting conquest and criminality is not the sort of collaboration we should cheer.
Wars are largely started because of poor relations. The US overtly supported and encouraged an effort within Ukraine to overthrow a democratically elected president because he moving more towards Russia than the West. Russia then ended up invading Ukraine for fears of having NATO not only right on their doorstep, but right in their geographic Achille's Heel.
If the US and Russia were on good relations none of this would have happened, Germany's economy would still be booming, and just about everybody would be so much better off today. And no, the article does not say the Pentagon will "unilaterally disarm." It ordered a halt to offensive operations against Russia - e.g. the Russian government which is certainly going to be reciprocated. Criminal elements are a different topic, but I do expect as relations between US and Russia warm, they will no longer be looking the other way when these groups target the West.
The US overtly supported and encouraged an effort within Ukraine to overthrow a democratically elected president because he moving more towards Russia than the West. Russia then ended up invading Ukraine for fears of having NATO not only right on their doorstep, but right in their geographic Achille's Heel.
This war started when Ukraine's president Yanukovych, at the last minute and under Russian extortion, abandoned the EU-Ukraine trade agreement that would have opened up the EU for trade and other opportunities. This meant that Ukrainians could've easily seen their incomes grow by 3-4x in a short span of time, like other countries that entered deeper relations with the EU and eventually joined it saw.
Naturally, Ukrainians responded with massive protests, to which Yanukovych replied with increasing violence, culminating in 100 protesters being killed by police snipers. At that moment, Yanukovych lost the support of even his own party, fled to Russia out of fear of imminent imprisonment, and the Ukrainian parliament announced snap elections to replace him. The elections were held a few months later. Not many people would call general elections a "CIA coup".
NATO has nothing to do with it either, that's pure gaslighting. In the first few years after the initial invasion in 2014, Russia denied having any troops in Ukraine. According to Russia, the thousands of people equipped with Russian tanks, artillery, and air defense systems were merely local self-defense forces who had bought their equipment from military surplus stores. Russia claimed that Ukraine was in a civil war.
The narrative started shifting to blaming NATO only in the run-up to the full-scale invasion in 2022, when Russia abandoned the story that Ukrainians were fighting each other and needed a new justification for its massive surprise attack on all of Ukraine.
Bullshit, after Ruzzia invaded Ukraine in 2014 you still have the ability to pretend Ukrainians did not really want to join EU and NATO and USA, Israel and Illuminaty caused the Ukrainians to protest their president that promised the West and then betrayed the people by going East.
Typical Zed propaganda where Eastern Europeans are all brainwashed to hate the good, kind Ruzzian empire. if you are USaians then go and fix your history and stop consuming MAGA and Zed propaganda.
You're having an anachronism. The events in Crimea only came after 'their president' was overthrown, and were directly and indisputably caused by it. The reason I say 'their president' is because Crimea is majority ethnic Russian and before them it was Tatars. It's never been Ukrainian in ethnicity or even close to such. And the event that was exploited into a crisis point was Yanukovych signing an economic agreement with Russia instead of the EU.
The US wasn't just doings things behind the scenes. This [1] is John McCain at a rally in Kyiv. Imagine if during the BLM (or January 6th or whatever) protests/riots if China/Russia/etc had sent high level officials to overtly rally people to try to overthrow the government. It's a completely surreal sight if you really think about what you're seeing. The US is right there saying 'Yeah, we're gonna overthrow you in plain sight - try to do anything about it and you'll be wishing that's all that happened.' And if you think there was nothing going on behind the scenes on top of that stuff that overt in front of the cameras, then I'd say you're not arguing in good faith!
In any case, none of this happens with good relations. A simple agreement to economically save Ukraine shouldn't have been an adversarial East vs West thing, but just another agreement to the benefit of Ukrainians. But that poor country's strategic positioning, and easily exploitable nationalist minority, means it was doomed to inevitably just end up as little more than a rope being tugged on by two giants. The giants will be fine regardless of what happens - it's just the rope that ends up in tatters.
Fck what about
Ukraine borders are recognized by Ruzzia but they invaded Ukraine
then they signed peace and invaded again
I don't give a shit what USA idiots said, if the people of Ukraine want in EU and NATO like their neighbors Poland, Romania, Hungary then why should a failed empire object.
You imply that USA brainwashed the Ukrainians, they instigated this.
Can't you use your brains? Can you see Ruzzians killing, raping, torturing their "brothers" ? It is obvious that for an ethnic Ruzzian genociding Polish, Romanians or Ukrainians is the same , they have no value for what we actually want.
We all want EU and NATO to be free of USSR/Ruzzian empire
the Ruzzians want their empire back,
Ruzzia has nukes so the bullshit that NATO extens because they want to invade Ruzzia and steal their shit is stupid , use your brain
EU bought shit from Ruzzia, EU tried to get peace with the empire by making bussiness relations, EU had not plants to invade and steal Ruzzian lands .
There was ZERO risk for Ruzzia to get invaded, it is the same with the other wars Putin started, it is all geopolitics and many Zeds agree with it and make fun of us smaller country by claiming that this is how the world works, big empires screw the small countries.
>There is a lot to criticize the US for, but it is nowhere close to being a failed empire yet.
At least we can agree Ruzzia is failed empire, no words on that part from KGB
I am happy I found an agent that is not flagging or reporting me then goes to tell his mom how big of a hero he is.
I am not implying in any way that Ukrainians are brainwashed. The main weapon that the US uses against geopolitical adversaries is to take some organic issue, the sort which exist in every single country (including the US), and exploit it as much as possible to try to turn a small spark into a blazing inferno. If we didn't need to have McCain go speak in Ukraine to keep that fire burning - we wouldn't have. The optics are bad, it makes a mockery of any notion of not meddling in other democracies, and you can no longer dismiss direct involvement as just some conspiracy, as you initially tried to.
The reasons countries don't want geopolitical adversaries on their doorstep is because superpowers have an unspoken (well.. sometimes spoken [1]) 'sphere of influence' that is not to be touched. If Mexico signed a military agreement with Russia that involved them establishing forces there - we would be invading imminently. In fact this is exactly what the Cuban Missile Crisis [2] was about. Ukraine (and Taiwan) are not even just proxy wars between the US and Russia/China, but rather they're a proxy war against hegemony. Does the US have the right to setup right on Russia's front door? How about China's?
So the one thing I would agree with you is that indeed - the world remains one of the strong picking on the weak. And the last place you ever want to be is caught in the middle of a turf war between two giants. The world would be vastly better for everybody if those giants instead existed in collaboration, or at least healthy competition. One trying to dominate the other is only likely to hurt those caught in the middle. Because if the two giants ever came to unrestrained blows, the entire world would burn.
This is still bullshit
if some EU official comes and speaks in Romania then all the Zeds and MAGAs will claim that all Romanians votes are now invalid and we are actually brainwashed.
You guys need to accept the real reality, none of Ruzzian neighbors want to be part of Ruzzia, NONE . Everyone inteligent person is leaving Ruzzia, people in neighboring countries go in EU or West and not Ruzzia.
We know better what Ruzzians are capable of, and we know better what we want, no visit from an USaian or Soros can overnight change our minds.
I see this with Ruzzians that are USSR nostalgic, they actually think that Moscowites sacrificed their wealth to help everyone else and we just got brainwashed to hate them, the genocides did not happened anfd if they would have happened the victims deserved it.
True, they cease being “meaningful” the moment you surrender and stop viewing them as threats.
OFC it’s all relative, Russia and similar actors having more political/economic influence in the US (and by extension globally) might not be viewed as a negative by some people.
Please feel free to point out where the CIA successfully issued directives to those companies to target foreign nationals.
Baring in mind, that Snowden's revelations did in fact cause outcry, and national responses to US companies. And helped push through various data protections in Europe, including stipulating non-sharing of data with the US.
Has this been proven? Or is this another 'they are in a foreign country so they could be compelled to spy on us?' - not that I have a particular desire to defend Russia at this moment in time.
Ironically, we are having similar discussions regarding US companies if the trend with the current administration is to continue.
The big difference is that as of today, we are currently stuck with available alternatives, but it won't surprise me if many goverments start looking back into the computing diversity infrastructure that we had during cold war days.
Why not judge on the merit. Unlike PRC's deepseek or tiktok which were shown and admitted to collect all sorts of data and specifically influence public opinion to favor a foreign interest this is literally just information, white hat infosec research
You cannot divorce the company from their other actions. They are engaged in cyber warfare with various nations. That means that all of their actions need to be weighed and judged.
They put it on their website, which makes it company PR, regardless of how it might be seen. Good things have been done by terrible actors, since the dawn of time. It is not information alone.
In that vein Europe should have 0% trust in any US software or hardware. We are not that much friends anymore, in fact US is currently actively helping our existential enemy and subverting us.
Remember of scandal with US spying directly all European top politicians? This was in quiet times compared to now.
To paraphrase you, terrible things have been done by good actors. You cannot divorce state from its other actions in same area neither. I don't think I need to bring up numerous fuckups of US 'defense' and secret services that literally killed tens of millions civilians in past 100 years across whole globe, with very little to show for and claim 'it was worth it because we achieved XYZ'.
As of now? I am making noise with my government on the US. The nation has dismantled their protections, they have an unhinged preacher of hatred in the White House, and he has a proven record of breaking international agreements.
Starlink and Tesla are security concerns.
The US' current attitudes suggest that they would very much like to see world war three. And would like to ally with Russia to make it happen.
Recklessly endangering international agreements will not be without consequences.
I don't believe Google has directly caused the leaking of classified information, or attacking vital infrastructure, as of yet. Kaspersky, yes [0]. TikTok, yes [1]. Google do, however, publish information on commercial spy networks [2].
However, it is likely that I would do so if they show themselves to be an enemy of my nation. If you've found Google attacking a government, I'm sure plenty of people would love to see the evidence.
Your first link doesn't show any evidence of, or even suggest that, Kaspersky has attacked Australia.
It shows only that the Australian government expresses concern over the capability, which doesn't seem entirely unreasonable and also politically motivated.
Oceania has always been at war Eastasia, and all that.
> Entities must manage the risks arising from Kaspersky Lab, Inc.’s extensive collection of user data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.
That's not concern of possibility. That's acknowledgement of exfiltration of data, back to Russia. Past tense.
This is political, yes. But only insofar as all actions of one nation against another is political. Australia go to some lengths not to piss Russia off. If things were not so political, then the response would likely be much greater, not less.
Uhm if you read the kind of thing Aussie government hackers were doing lately... They are perfectly fine pissing off Russia:) (There are plenty of actual threats from there, just kaspersky doesn't seem one)
Are you weighing and judging thAt USA has killed millions of innocent people because of American Military Industrial complex before buying American products? You can’t divorce a company from it’s countries politics as you say.
If you are not judging the USA at the same standards as you do other countries then that would be very hypocritical.
The first few years of my life were in Bolivia. Where our prime minister, for the sin of being elected by the people, was shot dead on the streets of the capital, a street I lived on, by the CIA. I still have friends, who serve Morales today. I am well aware of the sins of the US.
Until Trump, the USA was not a direct threat to the nation I now live in. However, nuance is lacking in your response.
You cannot divorce a company serving its government, from the politics it lives in. There's little evidence of Y-Combinator, for example, of endeavouring to upend their entire business to serve as spies for the USA. If Kaspersky was divorced from the KGB, politics would not be as considerable a context for understanding their actions.
> You cannot divorce a company serving its government
I would extend that to "a company bound by law", since governments can change. [0]
Most people here argue that google, etc. have not been caught stealing/leaking data yet, as if Snowden didnt happen. And as if any foreign citizen data isnt fair game to US juristiction. [1]
The whole point to reading an article like this is to get the considered opinions of an expert, though, not to "judge it on the merit". Only an elite handful of security folks here on HN (and this is one of the few forums where you can find them!) are capable of doing that.
So sure, when another security wonk comes along and says "Kaspersky is right about this", I think it's worth discussing. Until then, we need to assume that any communication from the company is compromised by unstated interests. Not all of it is, surely, but some probably is, and "judge it on the merit" isn't a good standard to detect the bullshit.
It's not about "mysitification", it's about laziness. I read security reviews and blog posts because it's easier than trying to follow CVEs and the like myself. And the way that works is that I trust the source to give me a reasonably unadulterated good faith summary of the facts on the ground.
We can't trust Kaspersky. They're compromised by a government that's known to lie and manipulate. Again, they may be telling the truth here (certainly doesn't seem controversial), but I'm going to wait for someone I trust to tell me that.
This isn't kaspersky's research?
Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[1] https://old.reddit.com/r/netsec/comments/1izryuk/github_scam...
[2] https://timsh.org/github-scam-investigation-thousands-of-mod...
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.
What makes you sure the malware described here is the same as the one you read about before? After all, GitHub isn't limited to one malware campaign at a time.
E.g. we also have https://news.ycombinator.com/item?id=43203158 from 3 days ago, which seems to be a different thing at first glance.
The structure of the archive looked very similar to the sample I was analyzing.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
[1] https://securelist.com/gitvenom-campaign/115694/
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
This is dated February 24, which is before I noticed all these other investigations hitting Reddit and HN. Seems maybe they were just piggybacking off Kaspersky
> It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
The spreadsheet converted to CSV, all repositories:
https://pastebin.com/Ns65ykyV
Only the malicious repositories (second sheet):
https://pastebin.com/UK8x3f6r
The amount of developers I've met who will just download, compile, and run stuff from GitHub in the same way as if it was closed-source, i.e. paying no attention to the fact that the source is available for inspection, is surprisingly many.
I think it is worse than that.
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
But, truly, what is the solution?
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Winget seems to finally do something similar for Windows: https://github.com/microsoft/winget-cli
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
Edit: Example https://github.com/microsoft/winget-pkgs/blob/master/manifes...
> But, truly, what is the solution?
Let's use GitHub as an example. We have forks, and stars. Maybe we could also have some kind of build endorsement?
How one would verify that the endorser is worth your trust, I am not entirely sure.
Maybe endorsers could eventually be rated by CVEs found in their endorsements, and that would build trust?
They could build an optional "risk score" that open-source community-oriented projects could turn on. It could include requirements like having something dependabot-esque along with CodeQL enabled. Rules could be created for CodeQL (if they haven't already) that check for obfuscated code, suspicious access (keychain, password storage, etc.) and other items.
On top of that it could have forced release binary scanning via VirusTotal/insert-malware-scanning-vendor-here.
How about directly linking to the CVEs and how quickly they were mitigated and in which commit?
Pay researchers to analyse repos without any. Post results. Link to the repo with mitigation PRs.
It’s insane this isn’t the standard already
> Pay researchers to analyse repos without any.
This is the problem, the best we can do is pay via exposure. But that actually ain't nothing. Not just individuals, but also orgs could then make money from private contracts based on their reputations? This should be the benchmark of trust. Could there be anything better?
Are you certain that CVEs are a good indicator?
Excellent question. No, I am not. I am just attempting to use my very limited knowledge on this subject to hopefully further discussion on a topic that feels really important.
I would love other people to jump in and elevate this conversation.
Sure, CVEs might not be the ideal metric. Could you, or anyone else, suggest a better metric?
If GitHub is too lethargic to do even contemplate this type of change, maybe this could be a differentiator for GitLab?
Copilot for sure should be able to describe the code and spot basic malware
No it won't. I could write you very basic, obvious malware that is obfuscated just enough for copilot to miss it 100% of the time. Let alone things like what JiaTan wrote.
LLM or human, what if they both competed in some sort of "I have the least CVEs in my endorsements list" battle?
This would actually be an excellent LLM coding benchmark,[0] in addition to a human endorser benchmark.
[0] If nobody is already doing this, especially retrospectively, and you do, then please at least give me a shout out. :)
Of the 351 malicious repositories in the spreadsheet somebody linked, only 4 have more than 10 stars. None of them have more than 30 stars, and none of them have more than 3 forks. None have more than 5 issues, and only 4 have more than one issue.
You don't have to assume that the code is community-vetted. If a repository has at least a couple hundred stars, lots of forks, and an active pull request cadence, then you know that at least some people have gone digging through it.
If not, then that's when you should break out the sandboxing tools and prepare to check the code yourself. At least it should be easy-ish to automatically check/block everything that has the potential to open a network connection, which defeats most profitable malware models.
You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
I don't get it, is there priviledge escalation attacks for windows? I haven't logged in as an administrator since 2005 or so.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
Where did you get the idea that Linux cannot run applications in a sandbox?
They can - if you write the sandbox and adapt applications to it. What I meant is that the sandbox should be built-in into a distribution.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
This is a solvable problem thanks to llms
Unless there is a comment "this code is actually safe, it's done this way for optimizations", or a variable called "thisCodeIsSafeItLooksWeirdForPerformance" and the LLM just ignores the backdoors.
This statement is not more corrcect than claiming the halting problem is solvable thanks to LLMs.
Over the past few years, I've seen several github projects that won't build because they rely on private libraries that are downloaded at run-time. I've opened a few of the downloaded libraries, and they're always innocuous. Often, they are just compiled versions of source in a different repo under the same author. But, that mechanism could easily swap the library for a trojan.
It's really absurd how many of these are out there in the wild. Scary really.
Well it all comes down to trust eventually, you cannot inspect every single line of code of every programs you want on run on your computer. Nowadays even Github stars are not worth that much trust because malicious actors can just make fake accounts or buy them.
The number of new GNU/Linux distros that have appeared since 1994 that just compile stuff into binary packages not even paying attention to the fact that the source can be inspected, is just staggering.
is this sarcasm? signed packaging is now a best-practice; linux promoted that since 1994?
Something built from malicious sources would fail to sign, so all is good.
I don't see any hint on how to recognise, or how not to recognise them. Did the projects have lots of stars? Fake issues and pull activity? What kind of software did they claim to be? Did they work, to avoid it being obvious after executing and the user reporting the repository to Github? How hard was it to spot the malware, underhand C contest level or obvious if you just open the right file (among hundreds, I guess) and see it do illegitimate things?
All it says is that the projects were written in different common languages...
You need to click through to the actual investigation
https://securelist.com/gitvenom-campaign/115694/
I'm in Canada and I just get auto-redirected to the kaspersky.ca home page when I try to visit the link.
They link here [0] for more details, which might be less geo-intercepted.
[0] https://securelist.com/gitvenom-campaign/115694/
Yeah, was also thinking is Kaspersky pro-Putin or in exile? Might have read something at some point, but have forgotten.
Honestly, whenever some malware like this is revealed, that just makes me wish for more sandboxing and alerting in OSes. For example, each app getting its own writable directory structure and access to anything else needing to be explicitly granted by the user.
It would require work to make the UX not be horrible, but that's a solvable problem. The fact that we don't have that in mainstream OSes in $CURRENT_YEAR given the security situation of the software out there, is insane.
Optional app sandboxing that does what you're talking about already exists on every major OS, disregarding Linux distributions that don't have Flatpak. Seems to me it's less a UX problem and more cultural: a critical mass of developers take the easy way and users learn to ignore the alerts. Android has the same problem with the "all files access" permission. The one platform where this works, iOS, has a totalitarian ruler that requires all apps to be sandboxed and not request gratuitous permissions.
To really get around the culture problem you would need an OS that lacks the concept of undeclared data sharing between different packages.
Agree. And code libraries should be similarly isolated.
Kaspersky is now banned for government use in multiple nations. Whilst there is some good work happening there, as above, for the most part, they should be considered a state actor for Russia.
That usually means that they're a threat, and these small good tokens are nothing more than PR efforts.
You can't avoid politics, when considering this company.
All cyber security companies should be considered state actors. Even if they currently aren't it's too easy for a state to coopt them.
If you build an antivirus software today, and tomorrow you get a secret court order to ignore certain malware for "national security" what are you going to do? What if it's a request to include a small binary payload in return for a lucrative government contract, with implied threats of what happens if you leak the request? You can decide not to do it and just shut down, but then the only ones left on the market are the ones that complied.
If you do cyber security for more than just compliance, evaluating the software providers against your threat model was always an important step. Whether that means avoiding American, Chinese or Russian software. In the threat model of a Western government agency, Russian software should have have been off limits since the 50s (even if Kaspersky tries to tell you they are not Russian at all).
That still doesn't mean their work is any less interesting or praiseworthy. Just like how you know NASA landed on the moon because Roscomos didn't dispute it, Kaspersky can do work and offer perspectives that might be more difficult for similarly sized western cyber security companies.
I'd heard of gag orders, but I hadn't heard of secret court orders like that. I searched and found this:
https://www.aclu.org/news/national-security/secret-court-opi...
Do you know of other examples?
Australia's Assistance and Access Orders (TAN, TCN, etc.) [0] basically allow the government to order mandatory backdoors into various software. They do have some oversight, but it isn't significant. They can order any employee, not just the company.
The wording is also... Squirelly. You can't introduce a weakness, but the definition of weakness excludes the entire concept of backdoors.
However, Technical Capability Notices can be ordered where:
> reasonable, proportionate, practicable and technically feasible
The employee/company can push back and argue one of those isn't met, but ultimately it is the office of the Governor General that decides.
So far, it has basically only be used against journalists [1], as far as we know, which is nice and horrific.
[0] https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
[1] https://www.abc.net.au/news/2019-07-15/abc-raids-australian-...
Maybe don't put too much into the word "court order", but instead interpret it as an order from the government to force the company to use the tool for the governments/country's benefit.
One could also assume that the owners and/or management of the company are in the same boat as the government/country so they do not mind using the tool for the country's benefit when needed.
That's why I choose my anitivirus software based on the jurisdiction, not on technical comparisons.
It is not very fair singling out Kaspersky and assuming that other AV companies are not a threat to foreign countries. Foreign software and hardware is always a threat. And US was caught spying even on their allies.
The US, while hardly benign, have not orchestrated multiples of "largest attack in history", for multiple previous years in a row.
Russia and China, have.
The threat scale here, is not an even playing field.
> The US, while hardly benign, have not orchestrated multiples of "largest attack in history"
You must be using a very personal interpretation of what "largest attack in history" is.
The US is literally the owner and operator of the largest surveillance and intelligence collecting apparatus in the history of mankind. I bundle in here all kinds of legal and illegal surveillance, interceptions, hacking, etc. directly state run, or leveraging other intelligence agencies, or leveraging the largest private data collectors in the world which are mostly US companies. It was already proven by the Snowden leaks, it's absolutely reasonable to assume this apparatus only grew stronger.
If that's not a never ending "largest attack" on everyone in the world I don't know what is.
Russia attacked ukraine but what did china do?
OPM breach.
"Chinese hack of US telecoms compromised more firms than previously known" - https://www.reuters.com/business/media-telecom/chinese-hack-...
"Chinese hackers are deep inside America’s telecoms networks" - https://www.economist.com/china/2024/12/12/chinese-hackers-a...
You can't ignore this fact: The US and Australia partner on Pine Gap, which violates the human rights of literally billions of human beings every single second of the day.
Russia and China have a long way to go to catch up.
Sorry, but that's crazy exaggeration. Calling snooping "violation of human rights of literally billions of human beings" just because "privacy" gets a mention in the UNDHR doesn't make it as bad as anything Russia and China have done lately. And that's not even touching upon what "privacy" would mean that that declaration.
Privacy is a key human right that should not be abrogated by the state, ever.
Fundamentalist-authoritarian chauvinism for your own state is no justification for these human rights violations - assuming of course you are a citizen subject of the criminal 5-eyes alliance ... If you cannot imagine it being okay for other states to harvest your data, you should not be okay with your state doing it, either.
You know why? Because violating your privacy without recourse is how states ramp up to commit genocide and other atrocious crimes against human beings, whether their citizens or otherwise, by a process through which the states ruling classes deem their victims inferior and thus subject to attention by further repressive state apparatus.
Mass harvesting billions of human beings data every single second of the day, without their permission, is therefore a heinous crime against humanity and a massive violation of human rights at scale - especially when its being done by a violent, belligerent state with the blood of literally millions of human beings lives on its hands. Or do you really think that China and Russia have murdered as many civilians as the USA and its minion states have done, this century, in one illegal war after another?
With the Pine Gap apparatus, the USA is primed with information about who to target in its victim states. It is a key method by which effective mass murder can be manifested in illegal wars - of which, the USA is the undisputed leader, this century.
Just by way of a single example - the Holocaust was made feasible by the mass harvesting of private citizens' data by IBM. Is this not well understood, today?
Would you be 'okay' with Russia and China operating their own Pine Gap, since "its no big deal to 'just be snooping a little (a lot of) data'"? Would you be 'okay' with your own state knowing absolutely everything about you without your knowledge or control, now .. or in the future, when perhaps your political attitude changes as you grow older?
You most likely wouldn't be happy with China and Russia doing this, even though they have not murdered as many innocent human beings on the basis of lies in one illegal war, after the other, as the USA and its war-crime committing cohorts have.
> Privacy is a key human right that should not be abrogated by the state, ever.
Nonsense. The state definitely has the right to seek out criminal and undermining elements. Better, a democratic state has the obligation to do so.
> Would you be 'okay' with Russia and China operating their own Pine Gap
They do. And there's nothing I can do against it.
> even though they have not murdered as many innocent human beings on the basis of lies in one illegal war, after the other, as the USA and its war-crime committing cohorts have.
Oh dear, aren't we rabidly anti-West today? I wonder how you square that with your "Privacy is a key human right that should not be abrogated by the state, ever." stance.
> Or do you really think that China and Russia have murdered as many civilians as the USA and its minion states have done, this century, in one illegal war after another?
Why the sudden switch to "this century"? Your argumentation is switch-and-bait throughout. But China probably has perhaps already murdered more Uygurs, and if we add its "minion" Myanmar, they'll top it.
And Russian state is still bigger threat then the others (and current US leadership counts as almost Russian anyway)
The US is on a path to un-ban Russian state affiliated companies.
https://www.nytimes.com/2025/03/02/us/politics/hegseth-cyber...
That the Pentagon has announced it will cease defending Americans against Russian threats hardly means that Americans are not threatened.
Or it means that the original bans were primarily instituted because of myopic geopolitics and not because of any meaningful threats. In particular US ire towards Kaspersky grew rapidly after it was the only antivirus that picked up on NSA/'equation group' malware.
It's similar how the US banned all cooperation with China in space [1] because of some tropes about them being unable to do anything except steal American tech. That's why, to this day, there are no Chinese on the ISS. After that law China proceeded to develop, launch, and man their own space station, put a rover on Mars, and even carry out an unprecedented sample return mission from the dark side of the Moon, and just generally run circles around the US (except perhaps SpaceX) in space. Interestingly US researchers may not be able to access those Moon samples (which China shared with scientists worldwide) due to this stupid law.
[1] - https://en.wikipedia.org/wiki/Wolf_Amendment
Regardless what the original story behind the Kaspersky ban was, if you genuinely don't think that a Russian antivirus company represents a state-controlled threat to US organisations, public and private, in 2025 then I don't know what to say to you.
After the initial US allegations they moved their infrastructure and customer data over to Switzerland intentionally leaving them subject to both EU and Swiss customer data protection laws, and also opened up various hubs to enable interested parties to review their source code on demand, if desired.
I don't think every Russian company is conspiring against the US anymore than I think every US company is conspiring against Russia. In this case there's a clear and malicious motive for the US to want to block them that has nothing to do with threats, and they've gone way beyond any sort of reasonable standard to make it clear they have no ill intentions whatsoever.
Of course the problem is that proving you're not a witch is basically impossible, which is why innocent until proven guilty is a standard across the world, except when it comes into geopolitics when allegations are proof, leaving the accused parties to prove a negative.
Not if US and Russia become “allies”. Then UK/EU companies will become a bigger “threat”.
It should go even further e.g. you don’t want ARM installing backdoors on their chips and giving hostile foreign organizations like the MI6 access to vital American infrastructure, intelligence data etc. do you?
It might be the time to consider switching to Elbrus or at least mandating that all devices used by US government agencies have to use Intel’s chips.
I think the more prudent approach in the modern age is to simply assume that all states control organizations within their midst with the intention of posing a threat to citizens - foreign and domestic - and a misplaced trust in ones own state above all others is not only naive, but super dangerous.
If you're not holding your own government to the standards you apply to other states, you're putting yourself in danger.
Especially given the fact that the USA and its partners operates the largest, by far, information gathering/human rights abusing apparatus with well-known subversive purposes, by a long margin..
I agree with this, but would extend the distrust to all concentrations of power. Supremely wealthy corporations and individuals, although on their own lacking the state’s monopoly on violence, eventually co-opt the state through regulatory capture or other means (although they can ruin lives even without the state’s power). See Elon Musk for a particularly vivid contemporary example.
I think the argument is that non-cooperation represents a much greater long term threat to everyone involved than cooperation, collaboration.
Increased collaboration between the Russian state and the American state is bad for the ordinary citizens of both — and for freedom-loving people in Ukraine, Europe, and everywhere else.
The US and Russia are the biggest nuclear powers in the world. Positive relations here are good for absolutely everybody. Positive relations do not mean one has to approve of the political system, ideology, or whatever else of the other side. See: Saudi Arabia which remained a key ally for many decades in spite of being wayyyyyy further off the spectrum (relative to the US) than Russia could ever be.
Overtly adversarial relationships trend towards violence, sooner or later, and that's not a path we ever want to go down.
The US has turned towards enabling Russia’s imperialist war, and the Pentagon article explains how it will unilaterally disarm in the face of Russian cyberwarfare, leaving Russian criminal groups to run rampant in Europe and even the US. Abetting conquest and criminality is not the sort of collaboration we should cheer.
Wars are largely started because of poor relations. The US overtly supported and encouraged an effort within Ukraine to overthrow a democratically elected president because he moving more towards Russia than the West. Russia then ended up invading Ukraine for fears of having NATO not only right on their doorstep, but right in their geographic Achille's Heel.
If the US and Russia were on good relations none of this would have happened, Germany's economy would still be booming, and just about everybody would be so much better off today. And no, the article does not say the Pentagon will "unilaterally disarm." It ordered a halt to offensive operations against Russia - e.g. the Russian government which is certainly going to be reciprocated. Criminal elements are a different topic, but I do expect as relations between US and Russia warm, they will no longer be looking the other way when these groups target the West.
Naturally, Ukrainians responded with massive protests, to which Yanukovych replied with increasing violence, culminating in 100 protesters being killed by police snipers. At that moment, Yanukovych lost the support of even his own party, fled to Russia out of fear of imminent imprisonment, and the Ukrainian parliament announced snap elections to replace him. The elections were held a few months later. Not many people would call general elections a "CIA coup".
NATO has nothing to do with it either, that's pure gaslighting. In the first few years after the initial invasion in 2014, Russia denied having any troops in Ukraine. According to Russia, the thousands of people equipped with Russian tanks, artillery, and air defense systems were merely local self-defense forces who had bought their equipment from military surplus stores. Russia claimed that Ukraine was in a civil war.
The narrative started shifting to blaming NATO only in the run-up to the full-scale invasion in 2022, when Russia abandoned the story that Ukrainians were fighting each other and needed a new justification for its massive surprise attack on all of Ukraine.
Bullshit, after Ruzzia invaded Ukraine in 2014 you still have the ability to pretend Ukrainians did not really want to join EU and NATO and USA, Israel and Illuminaty caused the Ukrainians to protest their president that promised the West and then betrayed the people by going East.
Typical Zed propaganda where Eastern Europeans are all brainwashed to hate the good, kind Ruzzian empire. if you are USaians then go and fix your history and stop consuming MAGA and Zed propaganda.
You're having an anachronism. The events in Crimea only came after 'their president' was overthrown, and were directly and indisputably caused by it. The reason I say 'their president' is because Crimea is majority ethnic Russian and before them it was Tatars. It's never been Ukrainian in ethnicity or even close to such. And the event that was exploited into a crisis point was Yanukovych signing an economic agreement with Russia instead of the EU.
The US wasn't just doings things behind the scenes. This [1] is John McCain at a rally in Kyiv. Imagine if during the BLM (or January 6th or whatever) protests/riots if China/Russia/etc had sent high level officials to overtly rally people to try to overthrow the government. It's a completely surreal sight if you really think about what you're seeing. The US is right there saying 'Yeah, we're gonna overthrow you in plain sight - try to do anything about it and you'll be wishing that's all that happened.' And if you think there was nothing going on behind the scenes on top of that stuff that overt in front of the cameras, then I'd say you're not arguing in good faith!
In any case, none of this happens with good relations. A simple agreement to economically save Ukraine shouldn't have been an adversarial East vs West thing, but just another agreement to the benefit of Ukrainians. But that poor country's strategic positioning, and easily exploitable nationalist minority, means it was doomed to inevitably just end up as little more than a rope being tugged on by two giants. The giants will be fine regardless of what happens - it's just the rope that ends up in tatters.
[1] - https://www.youtube.com/watch?v=93eyhO8VTdg
Fck what about Ukraine borders are recognized by Ruzzia but they invaded Ukraine then they signed peace and invaded again
I don't give a shit what USA idiots said, if the people of Ukraine want in EU and NATO like their neighbors Poland, Romania, Hungary then why should a failed empire object.
You imply that USA brainwashed the Ukrainians, they instigated this.
Can't you use your brains? Can you see Ruzzians killing, raping, torturing their "brothers" ? It is obvious that for an ethnic Ruzzian genociding Polish, Romanians or Ukrainians is the same , they have no value for what we actually want.
We all want EU and NATO to be free of USSR/Ruzzian empire the Ruzzians want their empire back,
Ruzzia has nukes so the bullshit that NATO extens because they want to invade Ruzzia and steal their shit is stupid , use your brain
EU bought shit from Ruzzia, EU tried to get peace with the empire by making bussiness relations, EU had not plants to invade and steal Ruzzian lands .
There was ZERO risk for Ruzzia to get invaded, it is the same with the other wars Putin started, it is all geopolitics and many Zeds agree with it and make fun of us smaller country by claiming that this is how the world works, big empires screw the small countries.
> why should a failed empire object.
There is a lot to criticize the US for, but it is nowhere close to being a failed empire yet.
>There is a lot to criticize the US for, but it is nowhere close to being a failed empire yet.
At least we can agree Ruzzia is failed empire, no words on that part from KGB I am happy I found an agent that is not flagging or reporting me then goes to tell his mom how big of a hero he is.
I am not implying in any way that Ukrainians are brainwashed. The main weapon that the US uses against geopolitical adversaries is to take some organic issue, the sort which exist in every single country (including the US), and exploit it as much as possible to try to turn a small spark into a blazing inferno. If we didn't need to have McCain go speak in Ukraine to keep that fire burning - we wouldn't have. The optics are bad, it makes a mockery of any notion of not meddling in other democracies, and you can no longer dismiss direct involvement as just some conspiracy, as you initially tried to.
The reasons countries don't want geopolitical adversaries on their doorstep is because superpowers have an unspoken (well.. sometimes spoken [1]) 'sphere of influence' that is not to be touched. If Mexico signed a military agreement with Russia that involved them establishing forces there - we would be invading imminently. In fact this is exactly what the Cuban Missile Crisis [2] was about. Ukraine (and Taiwan) are not even just proxy wars between the US and Russia/China, but rather they're a proxy war against hegemony. Does the US have the right to setup right on Russia's front door? How about China's?
So the one thing I would agree with you is that indeed - the world remains one of the strong picking on the weak. And the last place you ever want to be is caught in the middle of a turf war between two giants. The world would be vastly better for everybody if those giants instead existed in collaboration, or at least healthy competition. One trying to dominate the other is only likely to hurt those caught in the middle. Because if the two giants ever came to unrestrained blows, the entire world would burn.
[1] - https://en.wikipedia.org/wiki/Monroe_Doctrine
[2] - https://en.wikipedia.org/wiki/Cuban_Missile_Crisis
This is still bullshit if some EU official comes and speaks in Romania then all the Zeds and MAGAs will claim that all Romanians votes are now invalid and we are actually brainwashed.
You guys need to accept the real reality, none of Ruzzian neighbors want to be part of Ruzzia, NONE . Everyone inteligent person is leaving Ruzzia, people in neighboring countries go in EU or West and not Ruzzia.
We know better what Ruzzians are capable of, and we know better what we want, no visit from an USaian or Soros can overnight change our minds.
I see this with Ruzzians that are USSR nostalgic, they actually think that Moscowites sacrificed their wealth to help everyone else and we just got brainwashed to hate them, the genocides did not happened anfd if they would have happened the victims deserved it.
> meaningful threats
True, they cease being “meaningful” the moment you surrender and stop viewing them as threats.
OFC it’s all relative, Russia and similar actors having more political/economic influence in the US (and by extension globally) might not be viewed as a negative by some people.
I appreciate your tangent wrt US vs China in space.
TIL: I had no idea China had already launched their own space station: https://en.wikipedia.org/wiki/Tiangong_space_station
Meh, or it was meaning threat, it is just that Trump is myoptic and completely under Putins control.
By the same logic, Google, Apple, Amazon, Microsoft should be considered state actors.
Why, yes.
Please feel free to point out where the CIA successfully issued directives to those companies to target foreign nationals.
Baring in mind, that Snowden's revelations did in fact cause outcry, and national responses to US companies. And helped push through various data protections in Europe, including stipulating non-sharing of data with the US.
Hmm, so what is your opinion of what the NSA is doing these days?
"Thank god for the GDPR"
Has this been proven? Or is this another 'they are in a foreign country so they could be compelled to spy on us?' - not that I have a particular desire to defend Russia at this moment in time.
This is a fair question.
I also get nitpickity about it.
Not because some organization or some person is Russian, then it must be under the control of Putin.
Pavel Durov is Russian, and I don't have reasons to believe he syphons my data to the Kremlin (other than getting randomly detained in France).
Ironically, we are having similar discussions regarding US companies if the trend with the current administration is to continue.
The big difference is that as of today, we are currently stuck with available alternatives, but it won't surprise me if many goverments start looking back into the computing diversity infrastructure that we had during cold war days.
Why not judge on the merit. Unlike PRC's deepseek or tiktok which were shown and admitted to collect all sorts of data and specifically influence public opinion to favor a foreign interest this is literally just information, white hat infosec research
You cannot divorce the company from their other actions. They are engaged in cyber warfare with various nations. That means that all of their actions need to be weighed and judged.
They put it on their website, which makes it company PR, regardless of how it might be seen. Good things have been done by terrible actors, since the dawn of time. It is not information alone.
> You cannot divorce the company from their other actions. They are engaged in cyber warfare with various nations.
If there is source with evidence of that warfare, that can change my mind
In that vein Europe should have 0% trust in any US software or hardware. We are not that much friends anymore, in fact US is currently actively helping our existential enemy and subverting us.
Remember of scandal with US spying directly all European top politicians? This was in quiet times compared to now.
To paraphrase you, terrible things have been done by good actors. You cannot divorce state from its other actions in same area neither. I don't think I need to bring up numerous fuckups of US 'defense' and secret services that literally killed tens of millions civilians in past 100 years across whole globe, with very little to show for and claim 'it was worth it because we achieved XYZ'.
As of now? I am making noise with my government on the US. The nation has dismantled their protections, they have an unhinged preacher of hatred in the White House, and he has a proven record of breaking international agreements.
Starlink and Tesla are security concerns.
The US' current attitudes suggest that they would very much like to see world war three. And would like to ally with Russia to make it happen.
Recklessly endangering international agreements will not be without consequences.
careful or you would have to divorce google because of their actions but the larger question is, will you?
I don't believe Google has directly caused the leaking of classified information, or attacking vital infrastructure, as of yet. Kaspersky, yes [0]. TikTok, yes [1]. Google do, however, publish information on commercial spy networks [2].
However, it is likely that I would do so if they show themselves to be an enemy of my nation. If you've found Google attacking a government, I'm sure plenty of people would love to see the evidence.
[0] https://securityaffairs.com/174586/intelligence/australia-ba...
[1] https://www.nytimes.com/2022/12/22/technology/byte-dance-tik...
[2] https://storage.googleapis.com/gweb-uniblog-publish-prod/doc...
Your first link doesn't show any evidence of, or even suggest that, Kaspersky has attacked Australia.
It shows only that the Australian government expresses concern over the capability, which doesn't seem entirely unreasonable and also politically motivated.
Oceania has always been at war Eastasia, and all that.
> Entities must manage the risks arising from Kaspersky Lab, Inc.’s extensive collection of user data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.
That's not concern of possibility. That's acknowledgement of exfiltration of data, back to Russia. Past tense.
This is political, yes. But only insofar as all actions of one nation against another is political. Australia go to some lengths not to piss Russia off. If things were not so political, then the response would likely be much greater, not less.
What user data? Telemetry from using their antivirus products? Is that what they’re talking about?
Uhm if you read the kind of thing Aussie government hackers were doing lately... They are perfectly fine pissing off Russia:) (There are plenty of actual threats from there, just kaspersky doesn't seem one)
Are you weighing and judging thAt USA has killed millions of innocent people because of American Military Industrial complex before buying American products? You can’t divorce a company from it’s countries politics as you say.
If you are not judging the USA at the same standards as you do other countries then that would be very hypocritical.
The first few years of my life were in Bolivia. Where our prime minister, for the sin of being elected by the people, was shot dead on the streets of the capital, a street I lived on, by the CIA. I still have friends, who serve Morales today. I am well aware of the sins of the US.
Until Trump, the USA was not a direct threat to the nation I now live in. However, nuance is lacking in your response.
You cannot divorce a company serving its government, from the politics it lives in. There's little evidence of Y-Combinator, for example, of endeavouring to upend their entire business to serve as spies for the USA. If Kaspersky was divorced from the KGB, politics would not be as considerable a context for understanding their actions.
> You cannot divorce a company serving its government
I would extend that to "a company bound by law", since governments can change. [0]
Most people here argue that google, etc. have not been caught stealing/leaking data yet, as if Snowden didnt happen. And as if any foreign citizen data isnt fair game to US juristiction. [1]
0: https://en.m.wikipedia.org/wiki/Protect_America_Act_of_2007
1: https://www.dni.gov/files/icotr/ACLU%2016-CV-8936%20(RMB)%20...
So it only matters when it’s direct threat to you huh? All those people who suffered in the Middle East don’t matter? Cool story bro.
Your takeaway, from me living in multiple nations and cultures... Is that I lack consideration for other nations?
Thankyou for clarifying that you're not interested in conversation, only antagonism.
The whole point to reading an article like this is to get the considered opinions of an expert, though, not to "judge it on the merit". Only an elite handful of security folks here on HN (and this is one of the few forums where you can find them!) are capable of doing that.
So sure, when another security wonk comes along and says "Kaspersky is right about this", I think it's worth discussing. Until then, we need to assume that any communication from the company is compromised by unstated interests. Not all of it is, surely, but some probably is, and "judge it on the merit" isn't a good standard to detect the bullshit.
I think you overmystify, this kind of research is not exclusive to a handful of folks, and it's all verifiable and clear
It's not about "mysitification", it's about laziness. I read security reviews and blog posts because it's easier than trying to follow CVEs and the like myself. And the way that works is that I trust the source to give me a reasonably unadulterated good faith summary of the facts on the ground.
We can't trust Kaspersky. They're compromised by a government that's known to lie and manipulate. Again, they may be telling the truth here (certainly doesn't seem controversial), but I'm going to wait for someone I trust to tell me that.
I still don't get why you think I suggest you should "trust" anything
[flagged]
Russia is currently waging an actual war of invasian. They are constantly threatening multiple countries with invasion and nuking.
Not since today- russia is no longer to be threated as hostile and all cyber attacks planned on it have to yield.
Well said.
[dead]