The Register® — Biting the hand that feeds IT

Feeds

Kaspersky plays down source-code leak

Stolen, obsolete code has no effect on protection

By John Leyden, 1st February 2011
  • print
  • alert

Agentless Backup is Not a Myth

Leaked versions of source code for older versions of Kaspersky Lab's security software have been released through file-sharing networks over the last few days.

The source code comes from early 2008 versions of the consumer version of Kaspersky's security suite, which included anti-virus, anti-spam and parental control features. The beta code was originally swiped by a corrupt employee who tried to sell the technology prior to being arrested and convicted for intellectual property theft.

The source code is outdated and incomplete but may still provide clues to less than ethical second and third tier security firms on how to go about improving their products. The code – which previously appeared on online hacking forums back in November – is now far more accessible following its availability through BitTorrent and other file-sharing networks. It seems unlikely that the code would tell cybercrooks anything they didn't already know or provide much help in working ways around Kaspersky's security defences. More skilled and well-resourced virus writers commonly test their creations against a range of anti-virus tools prior to their release. Source code analysis doesn't figure in this process.

Kaspersky is playing down the significance of the incident. The antivirus software developer released this statement:

On 27 January 2011, Kaspersky Lab became aware that some parts of the source code for the company’s older (2008) range of products was illegally released on the internet.

After extensive checks, Kaspersky Lab specialists found links with an incident in early 2008 in which a former employee, who had access to the source code for the Company’s 2008 range of home user products, announced that the code could be bought over the internet. The matter was quickly referred to the relevant law enforcement agencies and the ex-employee was apprehended. The culprit was later found guilty by a Moscow district court under Article 183 of the Russian Federation Criminal Code and received a three-and-a-half-year suspended sentence.

Kaspersky said the source code released on BitTorrent had already been released through underground forums. The wider availability of the code poses no risk, the developer said.

Kaspersky Lab reiterates that this incident cannot harm users of its products, solutions and services in any way. The stolen source code is related to one of the previous product lineups, and since then the company has renewed all key protection technologies. The stolen code represents a very small part of the modern product source code, and is not related to protection functionality. It also contains fragments of an obsolete version of the Kaspersky anti-virus engine, which has been radically redesigned and updated since the source code was stolen. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (9)
Highly Rated
A handle is required
Reply Icon

Obviously,

Obviously, you didn't read the article. A corrupt employee stole the code, not a hacker. You can't control a disgruntled or corrupt employee from accessing the code he was originally employed to work with.

1
0
Al_21

Wakey wakey

*Knock Knock* William, wake up from your dream world and read what the article actually says, not what you want it to say.

It was a former employee who leaked it, no hacking involved.

All it takes is one bent employee who shafts the reputation, but its some conciliation the source-code has been made public now so far down the development line rather than in 2008.

1
0
A handle is required
Reply Icon

No, no, no: You're still insane

"There is no such thing as 'intellectual property'."

Maybe not to you, but there are businesses and corporations that rely on trade secrets ("secret recipes", if you will) to differentiate them from the other ho-hum competitors. You can apply this to anything, not just code. If everyone had access to every secret, there would be no competition. Everyone would churn out identical products, and no one company could actually succeed.

"What's insane is Microsoft continuing to sell an OS where it's easy and normal to circumvent privilege separation..."

What that hell is "privilege separation"?

"...users putting up with all this..."

Putting up with what, exactly? I noticed that you've already complained about Microsoft. Let me say this about Windows, and any other OS: most problems come from the interactions between third-party (not always high quality) software and the OS itself, plus any other drivers, etc. Not every mistake that developers make can be pinned on Microsoft, but, it's too easy for the consumer to do.

"Your Source Code is not special. If you can write a program to do something, so can I -- and I don't even need to see your Source Code, just what it does."

And why isn't it special? Maybe you can write the same program I can. But, how does that justify me giving you my source code when I did the work? That's like saying, "I could make $100 today, but you already did so you should give me yours."

"If you're too cowardly to show me your code..."

It's not cowardice. If developers want to run around and brag about their code, they will. They can make it open source. It's not cowardice to run a business. Microsoft wouldn't have made the money they did if they released their code into public domain. And, in you case you haven't figured this out, businesses are supposed to make money.

"I, on the other hand, am proud to nail my colours to the mast. I wrote this program; it is the best of its kind, and I will even show you exactly why nothing anyone else does is ever going to come close."

That's a poetic note. Well, I, and hundreds of others, will take *your* code and make it our own. Then, we will sell it and put you out of business. 100 vs. 1.

"Keeping secrets from me about products I am expected to use is neither tenable nor justifiable..."

Ok, then tell your car company that they should give you wiring diagrams, and blueprints, and all their research that went into making *their* product the next time you buy a car. Same goes with everything else you own.

"It is also unsustainable..."

This doesn't imply unjustifiable! Again, you are basing your argument on the fact that since programs can be reversed-engineered, you might as well just give up all your secrets anyway.

In conclusion, you sir are a nutter. I hope you do develop an ultra-efficient, state-of-the-art, "killer app". That way, the whole world can hold you to giving them the source code.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17