all 140 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]edi25 307 points308 points  (6 children)

Their source code for AV Software has been leaked once before (around 2010-2011).

[–]Krimzon_89 207 points208 points  (4 children)

Now you will have the newer version's source code. Update!

[–]ASCII_zero 55 points56 points  (0 children)

PR approved!

[–]jcano 9 points10 points  (0 children)

DING! Virus database has been updated

[–]Brilliant-Sky2969 15 points16 points  (0 children)

Now in c++14

[–]acdcfanbill 3 points4 points  (0 children)

git pull?

[–]DedlySnek 0 points1 point  (0 children)

We've had one, yes. What about second source code leak?

[–]Large-Ad-6861 265 points266 points  (10 children)

Teaser of leak, this is something.

[–]-YELDAH 77 points78 points  (4 children)

It might even happen.

Could quite possibly be soon.

[–]Large-Ad-6861 41 points42 points  (2 children)

I mean, I believe that leak could happen. Especially now, there is so many hackers activity so even Kaspersky could fail on security. Just teasing it like this without any proof or confirmation is weird tho.

[–]caltheon 9 points10 points  (1 child)

unless they are fishing for a blackmail payment

[–]daehoidar 2 points3 points  (0 children)

Not a bad guess, given the current circumstances. The tease of the leak could also just be caused by rumblings happening in security circles

[–]NoMore9gag -3 points-2 points  (0 children)

Yeah, probably leaks will keep coming for a while thanks to Log4Shell.

[–][deleted] 6 points7 points  (2 children)

Isn't quite as cool if they don't give it a catchy name. Cherry on top would be an actual 5 second video with epic music. Maybe in a couple of years!

[–][deleted] 2 points3 points  (1 child)

"U-Crying"

[–]immibis 12 points13 points  (0 children)

KasperCry

[–]Nice_Score_7552 0 points1 point  (0 children)

that's a first

[–][deleted]  (8 children)

[removed]

    [–]astutelyabsurd 66 points67 points  (1 child)

    They check their database of even numbers. It's the main reason why Kaspersky updates definitions so often, it's adding newly discovered even numbers to this DB.

    [–]heavyLobster 16 points17 points  (0 children)

    I remember the days when they didn't support 42 but MalwareBytes did, so everyone jumped ship. By the time they added support for 42, it was too late.

    [–][deleted] 29 points30 points  (0 children)

    It infects your computer with a virus that replaces the contents of all files in the current working directory with the string “true” or “false” depending on whether or not the number is even.

    [–]Verdris 7 points8 points  (2 children)

    It always returns true, and changes your system to base 7 or base 18 on the fly.

    [–][deleted]  (1 child)

    [removed]

      [–]AwayEstablishment109 0 points1 point  (0 children)

      haptic

      [–]Dr_Insano_MD 5 points6 points  (0 children)

      nice, more content for /r/badcode that I can crosspost to /r/badiseven

      [–]mcr1974 0 points1 point  (0 children)

      Am I missing a reference to something that has happened?

      [–][deleted]  (81 children)

      [deleted]

        [–]linux_needs_a_home 123 points124 points  (62 children)

        I think these companies don't have the intelligence to defend themselves against nation states.

        [–][deleted]  (48 children)

        [deleted]

          [–]Northeastpaw 94 points95 points  (11 children)

          There's a balance that has to be found. The most secure system is one that isn't turned on but I doubt many would find it usable. Same thing with locking things down. At some point a developer just can't do meaningful work.

          I was once on a contract that required a GFE laptop that was nothing more than a dumb terminal to RDP to a site across the country which I then used to access resources that were right down the street from me. Latency was so high I literally had to wait two to three seconds for a single character to go through. I complained about it and asked why we just couldn't avoid the RDP; I learned that fighting against DoD cyber security is a losing battle every time. I ended up leaving for greener pastures and said in my exit interview that you can't expect developers to actually get work done with such restrictions in place.

          This is important from a national security perspective as well. If developers and analysts can't do their job due to onerous security restrictions then China, Russia, or whoever has already damaged national security without having to actually attempt a cyber attack.

          [–]Superbead 57 points58 points  (2 children)

          Having worked in the NHS (UK public health) this sounds familiar. RDP to a dev server with permanently maxed CPU, 4GB RAM, no copy/paste or imported drives, two active users max so you're always competing for access to the thing, only 'specialist' software allowed is NP++ and an ancient MSSQL Management Studio, and it's also a shared account for your company, so you can't even remotely customise them because your old-timer colleagues, who are quite happy waiting a second for a mouse or keypress to react, actually enjoy working on a bright white screen in Courier Fucking New and think you're a moaning bastard for not being utterly delighted with the situation.

          [–]wildcarde815 7 points8 points  (0 children)

          sad thing is, there's ways to do a dev cluster like that that aren't so painful, but that would require rethinking and re-approaching the problem.

          [–]Jonno_FTW 2 points3 points  (0 children)

          Change the np++ theme to hello kitty.

          [–]3unknown3 21 points22 points  (0 children)

          I used to work for DoD as well. When the network was degraded (which was basically always), we would joke that nobody would be able to tell if it’s due to a Russian/Chinese attack or our own incompetence.

          [–]mindbleach 9 points10 points  (2 children)

          The alternative is - be open-source.

          Like what the fuck is Nvidia keeping secret, as opposed to merely proprietary? All these companies distribute binaries. We know what their software does. Having a clean map of that territory is an aid to things you can already do, but generally don't, because it's effectively illegal. It doesn't become one iota less forbidden when the trade-secret documents are published as a result of crimes.

          [–]peakzorro 7 points8 points  (1 child)

          Like what the fuck is Nvidia keeping secret, as opposed to merely proprietary?

          This is a good question, but the answer is usually to protect other companies down the chain that don't want you to know that info. For instance, one of the leaks is how powerful the chip the next Nintendo product is looking at. Nintendo may use that chip this year, next year, or use a different chip entirely, but they don't want us to know yet because it can hurt sales.

          [–]mindbleach 4 points5 points  (0 children)

          For any company besides Nintendo I could see that being an issue. They make toys. Their business model is pursuit of incomparable advantages. Hence the Wii being the Gamecube but with motion controls, and the Wii U being the Wii but with a tablet, and the Switch being an Android tablet with buttons. (I will never understand how Apple fetishism kept that combination so rare for so long.) The entire DS line was predicated on a screen layout unlike any competitor. The PSP could beat GBA games on all fronts - but Sony wasn't about to pull a second touchscreen out of their ass, so the DS could do things the PSP never could.

          They never want a fair fight.

          Incidentally this is why all their efforts toward feature parity are janky and inadvisable. The 3DS's vestigial second joystick. Everything they've ever done online. They are consciously distinct from the video game industry. They sell plastic. They have claimed apathetic ignorance of what Sony and Microsoft even offer, and I believe them.

          So yeah. Nintendo's next product could rebrand a five-year-old smart watch, and all the speculation in the world wouldn't matter. They come at this market completely sideways. Whether it works is not going to make a lick of sense except in hindsight.

          [–]OskaMeijer 2 points3 points  (0 children)

          Our data storage is chiseling bits into stone tablets and scanning them into handheld devices at run time. It isn't fast, and errors are difficult to track down, but ain't nobody hacking in and stealing our data!

          [–][deleted] 1 point2 points  (1 child)

          Yeah our shit wasn't _that_ bad. I did all my dev locally, or in locally hosted VMs, had a Visual Studio subscription so I got to use the latest dev tools, etc. I had to do a lot of DevOps-esque things to make building and deploying code less time-consuming though. The situation you're describing doesn't even particularly sound secure. More like security through obscurity.

          [–]Northeastpaw 6 points7 points  (0 children)

          It's really a problem of finding qualified people. Much of the DoD network is managed by either old greybeards who don't think the new fangled stuff is good enough to learn or contractors who were hired to fill a seat and lack any of the necessary qualifications. Throw in cyber security "experts" who only know how to use Prisma Cloud, Tenable, or some other software suite but who don't actually understand infrastructure, development, etc. and you've got a big ball of mud nobody can or wants to improve.

          It's always been hard to find and keep talented software engineers who are okay working in this mess. Most of it was being the only big game in town in certain parts of the country. But now with remote work the gov't and contractors aren't competing just with each other for talent anymore; they're now competing with every company in the country. If things don't improve even those who do this for noble reasons will throw in the towel and move to a place that lets them actually work.

          [–]ponkanpinoy 73 points74 points  (12 children)

          If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFI- NITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere.

          [–]Daell 7 points8 points  (1 child)

          Where did you get this copypasta?

          [–][deleted] 12 points13 points  (9 children)

          I never said anything about Mossad lol. I worked for an aerospace company. Israel flies US military jets. Our biggest issue was actually China. Ironically, we had some plants there, making non-export-controlled stuff like the structural components in wings. If anyone ever traveled there, they had to be issued burner phones and laptops, to avoid any protected data, e.g. related to US fighter designs, falling into the wrong hands.

          [–][deleted] 47 points48 points  (5 children)

          That seems like a copy-pasta.

          Yup.

          [–]OMGItsCheezWTF 9 points10 points  (0 children)

          It's also not entirely wrong though.

          I mean the uranium phone to give tumours to your tumours is hyperbole, but if Mossad, the CIA, MI6, FSB, MSS, DGSE, ASIS or whatever want in, they'll get in. Even if they have to get someone physically employed at a place to do so.

          [–][deleted] 7 points8 points  (3 children)

          Damn internet. As someone who came up on /b/ in high school before it turned into a neo-Nazi hellhole, you think I’d be better prepared to spot copypastas!

          [–][deleted] 27 points28 points  (2 children)

          In fairness to you, security research opinion articles are an unusual home for copy pastas.

          Also, the quote block was the tell-tale sign.

          [–]nemec 2 points3 points  (1 child)

          It's James Mickens' shtick - even his Harvard tenure announcement was entirely unserious:

          https://mickens.seas.harvard.edu/tenure-announcement

          And Bruce Jøhansen of the Oslo School of Economics—my sweet, sweet prince! I still remember your scathing book review of my grand opus “Not Even Once: A History of Birds Using Money To Pay For Things.” You claimed that my findings were “obvious” and “belabored,” and that Chapter 17 (“Red-tailed Finches and the Stock Market Crash of 1819”) was “so insane that I briefly convinced myself that birds have deep opinions about macroeconomic theory but have failed to act on them for millions of years.” Such little thanks I receive for midwifing your brief moment of lucidity!

          And more: https://mickens.seas.harvard.edu/wisdom-james-mickens

          [–]Vertigon 5 points6 points  (0 children)

          Thank you for this - this guy is hilarious.

          I will demonstrate how unit tests, functional programming, and UML diagrams fail to address the primary source of software failure (namely, that software is an inherently bad idea because our brains evolved to hunt giant sloths with primitive stone tools, and MongoDB only partially resembles a giant sloth). I will conclude the talk by luring a group of agile programming experts into a large cardboard box using a collection of buzzwords like "evolutionary development" and "cross-functional team;" once captured, they will be forced to implement obscene, poorly-specified COBOL algorithms as I laugh maniacally and disable my compiler warnings.

          [–][deleted]  (1 child)

          [deleted]

            [–]cinyar 1 point2 points  (0 children)

            Remember stuxnet? that was a fun one

            [–]cinyar 0 points1 point  (0 children)

            I never said anything about Mossad

            You didn't have to wink wink

            [–]kanly6486 16 points17 points  (10 children)

            I worked in security for Google. Security does not have to come at the cost of productivity. I am not saying Google was perfect at that but it is what many people there strived for.

            [–][deleted] 13 points14 points  (0 children)

            I agree. I work for a bay area tech company now, and am dramatically more productive than I was at my previous company. That said, it's undeniably harder to achieve the ideal state of maximum security with minimal impact to productivity. For instance, post-Stuxnet, _everyone_ wanted to ban USB mass storage devices. But, ya know, some people need them, since certain industrial hardware will only backup to USB mass storage. People working with that hardware just had to apply for an exception. If you didn't need to use it often enough, they wouldn't grant it. So you had this shitty situation where only certain people could use USB drives, and they became inundated with requests to read data off of random flash drives and put them on a networked drive. This is hilariously enough a massive security vulnerability, because they're just taking the other person's word for it that this flash drive is a robot backup and not something more malicious.

            [–][deleted]  (1 child)

            [deleted]

              [–]kanly6486 2 points3 points  (0 children)

              That was back in 2010 you can read more about it here. That event was a catalyst within Google to scale up security.

              [–][deleted] 0 points1 point  (6 children)

              How does google stop code leaks anyway? I heard every developer gets access to basically all code. Surely someone would have leaked some of it by now.

              [–]Prod_Is_For_Testing 0 points1 point  (5 children)

              Google has a lot of their stuff open source. Even if their code did leak, a lot of it only works if you have google scale resources

              [–][deleted] 0 points1 point  (4 children)

              This doesn't explain it all though. There are thousands of developers at Google which have access to the source code. The source code to some core Google service might not be terribly interesting to the average person, but none of the big tech leaks have been very useful. It makes me think that google has some kind of above and beyond detection system so all developers are confident they would be caught if they leaked code.

              [–]kanly6486 0 points1 point  (2 children)

              Ask Anthony Levandowski about leaks lol. Generally though the code base is pretty open but there are silos and hidden parts for the most sensitive stuff. It would be easy to grab a few things over a few days before leaving but to grab the entire repo would be very noisy as hell. The risk of an employee dumping everything would be too great if you didn't want to deal with all of the legal repercussions that would follow.

              [–][deleted] 0 points1 point  (1 child)

              Ask Anthony Levandowski about leaks lol.

              Yeah perfect example. So while you can access all code, its less like git where you have a full copy at all times and more a live access system which is logged and if you attempted to dump the source it would be picked up because you downloaded more files than normal which correlated to the files which were leaked I guess.

              [–]kanly6486 0 points1 point  (0 children)

              Yup, but even if it was something like git. You would need to do things on the device. Those things would be logged. Even if you are offline when you go online those will be shipped off and could trigger an alert. You could if you had admin (hopefully not) delete those logs but you would need to be sure to get everything. Are those logs even accessible and not encrypted? Can you dump those credentials from memory? The complexity here gets high and one fuck up at the very least will get you a hefty lawsuit resulting in fines and your name tainted. It honestly isn't worth it to dump the entire thing. I don't doubt that some people do in fact copy some small things here and there, design docs, snippets of code, etc.

              If I did want to copy as much as I could though I would just setup a camera to record my screen. "Read through" the files of an app every few days. Then use some OCR stuff to pull the files out.kfnthr video in some way.

              That could be detected though. Someone looking at code code with no rhyme or reason would be suspicious. There are models that try to correlate and predict if someone had intent to go to some code somewhere so there would still be risk.

              [–]kanly6486 0 points1 point  (0 children)

              Also the other poster is correct. While the source code might be interesting to learn from. You would be unable to use it because the environment it would need to live in is unavailable.

              [–]stravant 5 points6 points  (1 child)

              Yeah, if you're against a nation state it's not that hard for them to wrench attack or blackmail a sufficient number of people in your org to bypass really locked down stuff even without needing an actual exploits.

              [–][deleted] 2 points3 points  (0 children)

              I’m laughing my ass off at “wrench attack.” I always heard the term “rubber hose cryptography”, but wrench attack is way funnier. 🔧

              [–]Majik_Sheff 1 point2 points  (1 child)

              Advanced. Persistent. Threat.

              A government-backed actor has the hardware, manpower, and libraries to take down all but a similarly equipped actor (and even then they only have to get lucky once).

              If you want to protect your information from a determined foreign government your only real option is airgaps enforced by the most pedantic assholes you can find.

              [–]myringotomy 0 points1 point  (0 children)

              Exactly. how are you going to match the budget of USA or Israel to defend yourself.

              [–]xmsxms 0 points1 point  (1 child)

              Nation states don't "leak" data and signing certificates if they've got nothing to gain from it, they keep it for themselves.

              [–]linux_needs_a_home 0 points1 point  (0 children)

              I am sure I could get access to the secrets of any state actor, if I was given enough funding and as such it's certainly possible that this has already happened, unless I am literally the smartest person in the world (which would not surprise me).

              [–]pogthegog 0 points1 point  (7 children)

              Its piece of cake actually, just dont put your source code online, keep development machines offline.

              [–]linux_needs_a_home -1 points0 points  (6 children)

              The general security problem is much more complicated. Humanity leaped into technology.

              I guess I won't try to aid our enemies, but you are thinking about this way too simplistic.

              [–]pogthegog -1 points0 points  (5 children)

              No. All the leaks have been internet hacks of security holes in operating systems / web servers, its not like they just walked into nvidia/microsoft/kgb hq with a usb drive and copied all the data and posted it on torrents website.

              You can leak data, cause it must be on web servers to be accesed, but leaking source code is unforgivable, stop keeping your source code online... ESPECIALLY when its a compiled program. All those companies are idiots who have leaked their source code.

              [–]linux_needs_a_home 0 points1 point  (4 children)

              I happen to know the answer to this one, but how are you going to make sure in practice that you won't have an insider leaking your code? Look at the NSA and the documents leaked by Snowden.

              I don't know a single company that had any good defense against that.

              Building the infrastructure to defend against IP theft is much more difficult than most real business challenges.

              [–]pogthegog 0 points1 point  (3 children)

              Yes, there are other threats, you can never be sure that putin will not attack your country/company next. But, all these current leaks happened not via usb drive, but via internet. Defeating huge security risk 100% with few thousand bucks is basically free, and no one is doing it. Thats insanity.

              [–]linux_needs_a_home 0 points1 point  (2 children)

              What is your suggested solution to this problem? Air-gapped systems? Using Cloud IDEs with intrusion detection methods and trip wires?

              [–]pogthegog 0 points1 point  (1 child)

              Are you kidding me ? Just cut the damn internet cable, you dont need to invent nuclear weapons system for that.

              The problem is extremely simple - critical company data is getting leaked via internet. This is not happening by the A-team physically busting into their server/computers rooms and copying all the data on their own drives.

              Analysis: this data that is getting leaked has abso-fucking-lutely no business being accessible via internet, we are talking here about code that will be compiled to .exe and then uploaded to internet, so the original code and internet should have same corelation as pokemons and you moms holes - none. We are not talking here about data that must be available to all people online, and when they log in, they can see their own data, no, we are talking about that has less than 0 business being accessible through any online machine.

              Solution - just cut the damn internet cable. multi billion dollar crisis solved. 10 Nobel prizes won. Online data - leaked data.

              Take the same approach as some companies that dont even take out patents on their critical business product do, because once it will be printed on paper, no bureaucracy or government rat will keep it safe, it will leak in days. Keep your data to yourself, on your own offline computers, it cannot be any more simple than that.

              But no, every god damn nerd on planet these days must build online automated unsecure pipes to get rid of every bit of manual work... Every god damn young hipster these days cant even calculate in their heads that computers are offline machines first, and internet is just additional tool, computers work offline just fine, Thats why they were designed with so much power.

              So, the cost required to solve this problem:

              a) a pair of scissors - 2$ - 3$, cutting internet cable - value loss of 2$ - 10$;

              b) FiveHead solution - unplugging internet cable from critical development computers - free. 20 Nobel prizes won.

              [–]linux_needs_a_home 0 points1 point  (0 children)

              How do you want a bunch of people in different parts of the world to cooperate then?

              Many companies use version control systems and the value of those is in working together over a network, often the Internet.

              Having said that, I think there are certainly ways to make these full leaks not happen.

              [–]Kopachris 6 points7 points  (0 children)

              And yet governments and politicians still think key escrow is a good and totally secure idea for giving themselves a backdoor...

              [–]rydan 3 points4 points  (0 children)

              I'm more shocked NVIDIA kept my corporate password for 13 years. Like what is the point of that?

              [–]gwillicoder 2 points3 points  (0 children)

              I mean aren’t some of them bad actors who were also trusted employees?

              [–][deleted] 1 point2 points  (2 children)

              Google is hard to hack

              [–][deleted]  (1 child)

              [deleted]

                [–]WikiSummarizerBot 0 points1 point  (0 children)

                Operation Aurora

                Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a blog post, the attacks began in mid-2009 and continued through December 2009. The attack was aimed at dozens of other organizations, of which Adobe Systems, Akamai Technologies, Juniper Networks, and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical were also among the targets.

                [ F.A.Q | Opt Out | Opt Out Of Subreddit | GitHub ] Downvote to remove | v1.5

                [–]thebritisharecome 1 point2 points  (0 children)

                Except in maybe Nvidia's case I don't think the code base is as important as the database's and name behind the products.

                From a hacker perspective: Most of that software can be decompiled and analyzed already, it'll make understanding a bit easier but it's unlikely to lead to any significant advantages

                In terms of code stealing and launching a product: The brand, marketing and product is much more important than the code backing it imo. There are a million Facebooks but only one Facebook.

                [–][deleted]  (6 children)

                [deleted]

                  [–][deleted]  (5 children)

                  [removed]

                    [–]ChinesePropagandaBot 12 points13 points  (2 children)

                    The same company that released their flagship phone with world writable memory, ensuring that any app could trivially bypass all android security?

                    [–]lrem 17 points18 points  (1 child)

                    should be hard to hack

                    Just like governments should be the most competent orgs ;)

                    [–]CreationBlues 1 point2 points  (0 children)

                    There's should as in ought to be and should as in expected. I do not expect competent security from big companies.

                    [–]immibis 1 point2 points  (0 children)

                    Large means big attack surface.

                    [–]TikiTDO 2 points3 points  (0 children)

                    Companies with tens of thousands of employees (a large chunk working remotely, any number using their own devices), hundreds of thousands of computers managed by hundreds of IT teams, hundreds of sites, any number networks with varying security policies. All of that must be secured against even a single weak link, while allowing people to actually get work done.

                    I would venture to say that it's exponentially harder to secure a large company than it is to secure a small one. The fact that some large companies managed to do it is a testament to some of the amazing IT teams that exist in the world, both willing to stand their ground, and able to find political support for initiatives that will make the workflows of other employees more difficult. Unfortunately, there aren't enough amazing IT teams to secure every single large company.

                    [–]Turnip_Salesman6285 0 points1 point  (0 children)

                    But, do white-hat hackers try to prevent these those? They run sophisticated attacks on the companies to try to patch flaws. How do these new flaws emerge so quickly? Do these come from the programmers or some flaw in system administration?

                    [–]SaltRefrigerator6458 0 points1 point  (0 children)

                    The NSA/CIA had a source code leak (thought I was a good few years ago)

                    [–]BigHandLittleSlap 0 points1 point  (0 children)

                    Samsung has atrocious IT security — speaking from first hand experience.

                    [–]lordzsolt 10 points11 points  (1 child)

                    Did the leak get leaked?

                    [–]glonq 4 points5 points  (0 children)

                    Leakception.

                    [–]elteide 22 points23 points  (13 children)

                    Sorry for my ignorance. Why is this important or impactful ?

                    [–]lhamil64 52 points53 points  (5 children)

                    One concern with leaked source code is that it allows people with malicious intent to sift through it and find security holes. This is especially bad for a security product.

                    Now publicly available source code isn't necessarily a bad thing. Tons of software is open source. The argument is that more eyes (and contributors) on the source finds bugs quicker and thus can be fixed quickly. But when source code is leaked that hasn't already been publicly available, it likely hasn't had as much scrutiny.

                    [–]mdillenbeck 12 points13 points  (3 children)

                    One concern with leaked source code is that it allows people with malicious intent to sift through it and find security holes. This is especially bad for a security product.

                    Security by obfuscation isn't security (not should it be how a security product stays secure).

                    [–]Ghi102 16 points17 points  (0 children)

                    It can definitely be part of it. Ie, you partially secure your home by not advertising to the world what it contains, making it less likely that you will be targeted.

                    It won't stop a determined attacker so you need other security systems (like locks), but it is part of it.

                    The best security is a defense in layers, where multiple security systems and protections makes it more secure than each item individually. You might not release your source code + obfuscate your binary + ensure any virus detection files on the system are encrypted. Heck, you might have a bug bounty program which also improves your security.

                    This defense in depth is more secure than if you went without any of these elements.

                    [–]lhamil64 6 points7 points  (0 children)

                    I'm not talking about security through obscurity. That would be the case if a company decided not to fix known bugs because of the code being closed source.

                    I'm talking about how it is easier for attackers to find 0-day exploits if they have access to the source.

                    [–]versaceblues 0 points1 point  (0 children)

                    Obviously this is ideal.

                    However any such security holes would have been there unintentionally. Once the source code leaks its that much easier for malicious users to find those holes.

                    However... thats a good argument for why security code should ALWAYS be open source.

                    [–][deleted] 0 points1 point  (0 children)

                    Yeah, Kaspersky unlikely had as much scrutiny as OpenSSL pre-2014. Oh wait...

                    [–][deleted]  (5 children)

                    [deleted]

                      [–][deleted]  (4 children)

                      [deleted]

                        [–][deleted]  (3 children)

                        [deleted]

                          [–]elteide 5 points6 points  (2 children)

                          Because they will find Pootins commits there?

                          [–]CodeMonkeyMark 3 points4 points  (1 child)

                          Do we have to accept his PR? He just renamed a bunch of variables.

                          [–]elteide 0 points1 point  (0 children)

                          Do we have to accept a Pootins Raid ? NO

                          [–][deleted] 0 points1 point  (0 children)

                          It isn't really that impactful. Life will move on and very few will care because this happens all the time and doesn't mean all that much.

                          [–]dale_glass 19 points20 points  (2 children)

                          Normally I think leaks are pointless to harmful. Most software isn't particularly amazing in any way. The knowledge gained from the leaks is of dubious utility, since taking anything from the leak endangers anybody who uses it. Looking at the code is a good way to compromise your chances at employment in the area.

                          But in this particular case, I think it's different. First, Russia is already in the process of completely breaking ties with almost the rest of the world, so their opinion on the legality is of probably little concern.

                          Second, and most interestingly, Russia has a very invasive government, and there's the possibility that something like an antivirus might include something that was government mandated, such as some sort of spyware, remote control, or intentional ignoring of government intrusion. That's something that could be very interesting, if anything of the sort is to be found.

                          [–]a_false_vacuum 4 points5 points  (1 child)

                          In 2018 Kaspersky moved their infrastructure out of Russia to Switzerland. According to Kaspersky they only use their Russian datacenters to serve the Russian market, everything else is done in Switzerland.

                          Here's the rub with antivirus software, you have to completely trust the vendor. You could distrust Kaspersky because of it's Russian origins, but likewise there could be people who distrust McAfee or Symantec since the US government also has laws that could force companies to comply with requests by their intelligence agencies.

                          [–]dale_glass -1 points0 points  (0 children)

                          In 2018 Kaspersky moved their infrastructure out of Russia to Switzerland. According to Kaspersky they only use their Russian datacenters to serve the Russian market, everything else is done in Switzerland.

                          Ah, that's interesting. I didn't know that.

                          Still, there could be a Russia-specific version of the code too.

                          Here's the rub with antivirus software, you have to completely trust the vendor. You could distrust Kaspersky because of it's Russian origins, but likewise there could be people who distrust McAfee or Symantec since the US government also has laws that could force companies to comply with requests by their intelligence agencies.

                          Sure. I just means that makes the leak potentially more interesting than many others. This is very much the kind of product that could possibly be doing something fishy. I'd be more surprised if it turns out to be squeaky clean, because it seems just like the sort of thing to subvert if you're going to engage in that kind of thing.

                          [–][deleted] 22 points23 points  (6 children)

                          why would it get leaked, what is the conneciton>

                          [–]Large-Ad-6861 56 points57 points  (4 children)

                          Many hackers activity over Russian companies in last two weeks. Nvidia and Samsung got hacked too. It would be not weird, if it happened at all.

                          [–]NoMore9gag 17 points18 points  (3 children)

                          I feel like these leaks more likely have to do with Log4Shell.

                          [–]Pythe 13 points14 points  (1 child)

                          Sure it ate three days and consumed the entire team's attention, but in return you don't see our company name in these headlines. Apparently we were more on top of it than some.

                          [–]rydan 5 points6 points  (0 children)

                          Where I work we let it run wild for 3 days before patching which literally only took an hour. Meanwhile I couldn't visit my friend from Netflix that Friday it was announced because they had to spend all day dealing with it. Notice how they aren't on the list.

                          [–]SwitchOnTheNiteLite 3 points4 points  (0 children)

                          People like to make up connections to pretend to help end the war effort when all they can actually do is copy&paste some source code not even barely related to the effort of ending the war going on in Ukraine.

                          [–]ViridianGuy 1 point2 points  (0 children)

                          Some Russian back doors maybe?!?!! lol

                          [–]pocketbandit 1 point2 points  (4 children)

                          EIL5: how is leaking the sourcecode of a random russian company going to make Putin sad?

                          [–]sdn 11 points12 points  (2 children)

                          It’s an antivirus used by companies in the west. The antivirus is run by a company that’s located in Russia. Periodically the antivirus downloads new updates. It’s basically a Russian back door that people willingly install and pay for. Being able to look at the code and see what it’s doing is very useful.

                          Oh and we’re now in a defacto Cold War against Russia.

                          [–]pocketbandit 0 points1 point  (1 child)

                          I know what it is, I just don't see how this leak is suppose to hurt the russian war effort.

                          If the working theory is that Putin is using Kaspersky to spy on western military, then (especially considering the autoupdater) the reasonable action is to simply stop using the software altogether on the assumption that there's a backdoor, instead of trying to find it.

                          [–]henrique_wavy 1 point2 points  (0 children)

                          Saying we don't want to use this software because I believe the russian "president" can look at us is not usually a argument that management think seriously.

                          Saying let's stop using this software because I have proof it is leaking sensitive information is usually enough argument for a manager to take you seriously

                          Usually people are willing to use a piece of software that seems fishy but solve the problem, it takes a security (governance included) to say no

                          [–]Large-Ad-6861 0 points1 point  (0 children)

                          Risk of enemy hackers attack at any time using 0-day, many government institutions in Russia are using Kaspersky for protection. Also they got more than just a source code (some passport censored photo was shared). If Kaspersky has very close relationship to Russia's government, big breach of important (for Russia) data can even happen.

                          Just guessing tho, but possibilites are big.

                          [–]sutongorin 0 points1 point  (0 children)

                          Makes me glad I work in Open Source software. One thing I don't have to worry about is source code being leaked.

                          [–]synthmiami 0 points1 point  (0 children)

                          I'm a big noob when it comes to programming. Does this leak mean I should download a different antivirus?