Email of the day on cyber security
In passing, you recently mentioned Kaspersky's recent claims about spyware being installed on new PC's by "US PC Manufacturers". Refers to article http://www.ft.com/intl/cms/s/0/4d4a8f9c-b668-11e4-95dc-00144feab7de.html?siteedition=intl
As a former R&D executive in one of those companies, I thought it relevant that I comment.
Every line of firmware is precious, and must work correctly. Every line is inspected by multiple engineers and QA people, and the manufacturing team uses hash coding techniques to guarantee that what came out of engineering is what is being implemented in PGA's (chips that contain the firmware). These chips are tested to make sure the firmware did not get corrupted in the process. So any spyware that gets embedded in firmware has to be designed in.
I think it's important to understand that any such implementation would require that the manufacturer's R&D, QA, and manufacturing teams cooperate in the endeavor. And still keep it secret. Furthermore, those teams are across countries, as very few PC's are currently manufactured in the US. Think you can keep this kind of thing secret across a whole gaggle of engineers, none of whom have security clearances, and many of whom are not Americans? Bullshit. Add to that, the claim is that this happened across multiple US companies? Really bullshit.
The idea that code can be somehow magically embedded "deep in the hard disk" is the same notion. The boot area on the hard disk has tight, highly inspected code. Again any spyware would have to be designed in and would be known to a large multi-functional team. Blank boot disks arriving at the manufacturer are really, truly blank, and are completely formatted by the manufacturer prior to copying the boot sector, etc.
I very recently spoke with a very senior executive in the computer security business, who simply pointed out that Kaspersky is a Russian company, and suggesting that this fact should really end the whole conversation.
Perhaps anyone running Kaspersky software should be quite worried about what that (highly invasive, deeply embedded software with frequent accesses to Kaspersky's servers) software might be sending back home to Russia. If one uses Kaspersky, it's time to give this some thought. McAfee and Norton/Symantec offer better, safer solutions.
Well said. However regardless of whether the claims made by Kaspersky are true or false, they will still be used to help justify championing domestically designed and manufactured products by countries with a desire to compete with the USA in just about every sector.
Back to top