You are here

Here we go again

ivan's picture

Hey everyone. I haven’t posted here in a while. The world made no sense the last time I did, and it makes even less sense now. That translates (among other things) to people being crazier on the internet, constantly challenging my personal illusions about what I imagined to be rock bottom. Maybe in five years, I will come back to this post, read it again, and go “oh, man, those were the chill days, I miss those”.

The craziness that’s rattling me these days is related to Russia. Maybe before we dive in, I should clarify a few things. The most important one being: I unambiguously stand behind the Ukrainian people who are currently facing an armed invasion. Next, and you probably know this about me already if you landed on this page: I am a French national currently employed by Kaspersky, the world’s number one lightning rod for Russia-related hatred (and otherwise antivirus maker). I joined the company in 2018, not long after the very public accusations leveraged against it by the US government. My rationale was that nobody could piss off so many important people without doing a few things extremely right – and I was correct in that assessment.

Today, as tensions between Russia and the West have reached their all-time high since the Cuban missile crisis, Kaspersky finds itself in the crosshairs again and I feel that I’m in a good position to address several concerns that have been raised, as well as dump a few thing that have been weighing on me. This message does not come from corporate communications (which is why it’s posted on my personal blog). Nobody wrote those words for me, nobody even asked me to write them. You might accuse me of not being impartial, seeing how I’m being paid in dirty Russian blood money and all. That’s fair. So I’ll start by clarifying exactly what my stake in all this is.

I am emotionally invested in this company. This shouldn’t come as a surprise to anyone: I’ve worked there for almost 4 years now. What a privilege it is to work with such smart, talented people, blah blah blah, you’ve read those words a thousand times. But if you’ve ever written them (and if you truly meant them) you know how unique and precious this is. GReAT is the best team I have ever been a part of, so you bet I want the whole structure supporting us to thrive. On the other hand, my financial and material stake in Kaspersky is very limited. Sure, they pay my salary. But I would like to think that by now, my work has gathered enough attention in the infosec community that if I were fired tomorrow, I would find a new employer in less than a week. Dear random CISO reader, ask yourself: if I sent you my resume, would you hire me? If not, screw you – I never wanted to work for your lame-ass company anyway – but at least admit that it’s likely others would at least consider it. My point being, I’m not dependent on Kaspersky to make a living. For all intents and purposes, I would like you to believe that I stand to gain nothing on the financial level by making any of the claims contained in today’s post.

“Claims? What claims, Ivan, all we see so far are paragraphs and paragraphs of disclaimers and misguided attempts at establishing credibility.” Alright, you got me, I won’t dance around the point further.

Should people ditch Kaspersky AV?

I don’t care. Seriously, I don’t. I told you, my livelihood isn’t at stake here. If you decide to move on to another vendor, all it means for me is less telemetry to do my threat intelligence work. Guess what? I get lost in all that data anyway, so much so that I tend to leave that aspect entirely to more talented coworkers. But if you’re going to leave, at least do it for the right reasons (i.e., finding a better product). Not for one of the crazy ones that pop up whenever there are geopolitical tensions, nor the more reasonable ones (though equally unfounded) that surfaced this time. Some of which, by the way, are actively fanned by competitors (as they have every chance they got, stay classy guys). Allow me to address those, Q&A-style.

Is there a backdoor in Kaspersky products?

This accusation has been directed at the company since 2017 and has yet to be backed by evidence of any form. The source code can be reviewed in transparency centers. Not enough for you? You’re asking me to prove a negative, but maybe I can sway you with a telling absence of smoking gun. APTs reverse-engineer our products all the time. I know that, because I know they’re not stupid: they want to avoid detection as much as we want to catch them. At this point, if the NSA hasn’t looked at every single instruction of our AV, someone simply isn’t doing their damn job. If there were hidden features in there, they’d know about it, and I have to assume that they want nothing more than to expose Kaspersky’s dastardly ways to the world. It’s time to consider that the backdoor just isn’t there.

Aha! But some Russian government domains point to Kaspersky IPs!

You’re probably referring to this article. This is not the damning evidence you think it is. Some government websites are located behind a DDoS protection proxy operated by Kaspersky, that’s all there is to it. Any insinuation that Kaspersky and the Russian government are so tightly interwoven they share the same IT infrastructure is technically illiterate at best, intentionally misleading at worst.

It means Kaspersky sells services to the Russian government. Like DDoS protection, malware analysis trainings (I know) and antivirus protection (I imagine). What did you expect? Russia is not our only government customer.

But things have changed, what if the Russian government compels Kaspersky to cooperate now?

The company’s headquarters are located in Russia, most developers are based there too. True, they are bound by local laws and have families. Since the beginning of the crisis, internal procedures have been tightened (that happened constantly over time, mind you) to account for the possibility that a rogue employee would misuse the capabilities of our products. You can still have a look at the source code and the software bill of materials to check that nothing fishy is going on.

This being out of the way, I would like to draw attention to your weird and specific obsession with Kaspersky antivirus. This is not the only Russian-made software out there, you know that, right? Let’s play a game.

Kaspersky Total Security nginx Telegram
Receives updates from Russian devs Yes Yes, via the repositories of Linux distributions Yes
Open-source Available on demand Yes No
Privilege level Administrator Must start as root to bind to ports 80 and 443 Whatever, can read all contacts and messages anyway

Your focus on Kaspersky is short-sighted. If you think the Putin administration may use its local IT industry to go after you, you need to think bigger. Don’t trust us, just like you shouldn’t blindly trust any other software vendor in the wake of the SolarWinds incident. Monitor your network, always be on the hunt for malicious activities, and if you ever trace back an intrusion to a Kaspersky product or update, be the one who kills the company. I swear that if it ever happens, I will be the first to join your crusade.

What about business continuity?

Kaspersky employees received clear information about the fact that operation continuity is the absolute priority at the moment. There actually are contingency plans (thanks to datacenters located in Switzerland and other countries) to make sure software updates and new signatures can still be delivered even if Russia breaks off from the internet. The international sanctions placed on several Russian banks won’t affect you, because you’re doing business with local Kaspersky branches (such as Kaspersky France), which are separate entities. Even if the Russian government were to impose crazy sanctions forbidding all trade with the West, it wouldn’t change that fact.

There are currently high-level meetings (that I kind of wish I could be part of) where the craziest scenarios are being evaluated. I’m not at liberty to divulge what these are, but I hope you’ll believe me when I say the countermeasures envisioned are just as crazy. Operations will not be affected by anything else than you deciding you’re severing all ties with Kaspersky.

If you’re one of our threat intelligence customers (bless you), the GReAT team spans over forty people located all around the world. We keep having complete creative control over what we write, and I can personally vouch for the fact that we’ll retain the ability to release reports no matter what happens in Russia.

So… All in all, I genuinely don’t believe that the war has any impact on your “technical” relationship with Kaspersky. But some have raised fair ethical concerns which I would also like to address.

Does Kaspersky support Vladimir Putin’s “special operation” in Ukraine?

This question has many layers, and I will do my best to go through all of them. The most basic answer is to point out that with the sole exception of arms dealers, no corporation in the world ever supports war. If you don’t have faith in human decency (why should you?), at least believe in capitalism. War is terrible for business. War destroys economies, plummets exchange rates, closes off whole markets. Think of Russian oligarchs right now: do you think they’re happy to have their yachts seized and assets frozen in the name of national pride? Kaspersky, as a company, wants nothing more than a stable worldwide ecosystem with 5-10% yearly GDP growth onto which it can push product. Kaspersky hates war.

What about Eugene Kaspersky’s tweet, then? Companies are made of people, surely they can formulate ideology beyond the soulless search for profit. Fine, I’ll level with you. I was very unhappy with this tweet. Many people in my team were. I wish we had said nothing instead of this. But let’s take a second to discuss what it actually means.

I’m not familiar with the story of how this tweet came to be. What I know is that social-media accounts of high-profile people are not always managed by themselves but instead partially controlled by social-media teams. Considering the topic of this tweet, I’m willing to bet everything I have that there were meetings about it and that it is the result of infinite amounts of nitpicking over every little word. Am I happy with the end result? Of course not, I already made that clear. But if you read it and thought “wow, Eugene is genuinely advocating for a compromise”, if you think this is a faithful representation of anyone’s opinion, you’re being delusional.

Of course, I don’t think the majority of the criticism directed at this statement was an attack on a perceived political stand. The contrary, in fact: people were mad Eugene Kaspersky didn’t take one, just like they painted his silence as complicity before. Why not publicly denounce the invasion of Ukraine? You know very well why.

As I’m writing these words, over 6,500 people have been arrested in Russia for protesting the war. It’s easy to call for someone else’s act of bravery. Easy to ask someone to risk jail or torture for your opinions (or even theirs). We all want to believe that in the same situation, we would do the right thing, fight the oppressor, stand for the little guy. Here is a simple test for you armchair warriors: Ukraine is openly looking for foreign volunteers to join the fight. Will you consider defending these ideals yourself? Yeah, didn’t think so.

Get off your high horse. You have no right to call for anyone’s sacrifice.

What it means to work for a Russian company

I don’t doubt that eventually, someone will ask how I can stand any association with the Russian government. Simple answer: I couldn’t. I’m not affiliated with it in any way. The distinction between a government, its citizens and the local companies should be obvious. I don’t even support my own government, why would you assume I support theirs? Why would you assume that Russians do, considering they hardly get to pick it?

I’m not going to leave a company that I love, that has been objectively good to me and provides good services just because it has the misfortune of being born in Russia. The only thing that would cause me to reconsider is if the situation prevented me from fulfilling my mission, or if the overall structure started defending values I can no longer stand behind. Kaspersky’s current values are that we will defend our customers no matter what in these dire times: the Ukrainian ones and yes, the Russian ones too. In fact, I’ve spent the last week tirelessly slaving in IDA Pro to document cyber-activities taking place in Ukraine right now.

The cherry on this otherwise absence of sundae is that as a French person, I can safely call whatever is going on in Ukraine a “war” or an “invasion”. Many of my dear colleagues simply can’t. When the “special operation” started, none of them could believe what was happening. Some cried. All lost their life savings overnight, only to log in later and discover the whole world now hates them. You would have me turn my back on them?
Your hate accomplishes nothing. It only furthers the misery of those who are already miserable. Think about the costs of your virtue signaling.

I will not quit my position in GReAT. Working for a Russian company doesn’t mean I support the Russian government – I categorically don’t. It means I support the company’s mission. It means I’ll keep soaking up moron-sized shrapnel on social media for it. It means I won’t abandon ship, leaving behind gagged coworkers and friends from Russia. I’ll do my best to be their voice instead.

This one is for them: “fuck this war and the people who ordered it”.

See you on Twitter.