Kaspersky and spying for Russian Federation


Recommended Posts

EJocys
8 minutes ago, adrynalyne said:

Your lack of ability to provide evidence is what contributes to it. Your lack of knowledge of ip geolocation and how inaccurate it can be contributes to it. 

 

i think it is true in any language--if you make a bold claim, back it up. You are not doing that here. 

I've provided enough facts and evidence for user to test it. You are just not accepting provided data as an evidence and refusing to check it by yourself.

Link to post
Share on other sites
EJocys
2 minutes ago, AndyMutz said:

i just tried this and i have no traces of any kaspersky entries in that log.

i have been using kaspersky for years, but i am not using every protection it offers, e.g. i always disable the browser addon and i also deactivate the URL and HTTPS scan options.

 

 -andy-

You have to use "Internet Explorer", enable Kaspersky addon and press F12 inside the web browser to see if browser tries to make requests to ie.kis.scr.kaspersky-labs.com.

 

Link to post
Share on other sites
adrynalyne
5 minutes ago, EJocys said:

I've provided enough facts and evidence for user to test it. You are just not accepting provided data as an evidence and refusing to check it by yourself.

I didnt make the claim, you did. You have yet to tell me what sensitive information was sent. You are purposely dodging the question. Why should I pollute my machine with an AV I would never use for me to prove to myself a claim someone else made? If I was making the claim and told you the same, you would not do so either. 

 

Just provide evidence of senstive information being sent and we can be done with this. It only serves to make you look ridiculous by dancing around the issue. 

Link to post
Share on other sites
EJocys
10 minutes ago, adrynalyne said:

I didnt make the claim, you did. You have yet to tell me what sensitive information was sent. You are purposely dodging the question. Why should I pollute my machine with an AV I would never use for me to prove to myself a claim someone else made? If I was making the claim and told you the same, you would not do so either. 

 

Just provide evidence of senstive information being on being sent and we can be done with this. It only serves to make you look ridiculous by dancing around the issue. 

Browser debug tools clearly shows that data was not only sent but response was received and I could see results (Script and JASON data). I proved my original claim - browser tried to make request to URL which has external address with geolocation in Moscow. Then, you asked me to prove something which I did not claimed i.e. that request reached remote server. I have no intention to prove this extra claim, because I removed Kaspersky from all my PCs and have no intention to reinstall it. For this reason I've asked users to test (gather evidence) themselves.

 

You could be more precise-specific with your answers. Pointing directly to, where I am wrong, would be more constructive in this discussion, than abstract statement, that I don't know something about network and security.

 

 

Link to post
Share on other sites
EJocys
3 hours ago, Gary7 said:

Maybe this belongs in The Tin Foil Hat section :p

Tin-foil hats are for amateurs… professionals, like me, always use heavy-duty lead helmets.

  • Like 1
Link to post
Share on other sites
adrynalyne
11 minutes ago, EJocys said:

Browser debug tools clearly shows that data was not only sent but response was received and I could see results (Script and JASON data). I proved my original claim - browser tried to make request to URL which has external address with geolocation in Moscow. Then, you asked me to prove something which I did not claimed i.e. that request reached remote server. I have no intention to prove this extra claim, because I removed Kaspersky from all my PCs and have no intention to reinstall it. For this reason I've asked users to test (gather evidence) themselves.

 

You could be more precise-specific with your answers. Pointing directly to, where I am wrong, would be more constructive in this discussion, than abstract statement, that I don't know something about network and security.

 

 

Did you not post this?

 

or example: Every time I was using secure search on google.co.uk, Kaspersky would make connections to server in Russia and load JavaScript which in itself enables

ability to send all my logins, passwords and other sensitive data to file providers, because it was running from inside a secure connection and all sensitive data was available in plain text:

 

I want to see evidence of what is highlighted. Your links don't work. I don't know why you thought they would.

Link to post
Share on other sites
EJocys
31 minutes ago, adrynalyne said:

Did you not post this?

 

 

 

 

I want to see evidence of what is highlighted. Your links don't work. I don't know why you thought they would.

See. We don't agree even on what sensitive data is. I think that information about bank (clearly supplied in URL), I hold my accounts in, is sensitive data, because it allows more precise targeting for hackers. Since requests to external URL include not only bank host name, but path and query (GET data) this means that much more than just bank name is sent to third party.

It doe not end here. Web browser gets reply as a JavaScript and this opens possibilities to request any data from the page on demand. I used that method myself to override functions on remote clients, it was legal because my code was not coming from third party and was used to fix broken functions I could not deploy onto to remote client. I knew what I could do with my "workaround" and how to bypass cross-domain restriction when submitting data to third parties and this is exactly why I don't feel comfortable when Kaspersky is using similar method.

 

> Your links don't work. I don't know why you thought they would.

 

These links return data to browser only when Kaspersky add-on handles them, which is perfectly expected. It is up to Kaspersky to refresh them and decide who gets cashed content and who get updated version directly or indirectly from the Internet.

 

Edited by EJocys
Link to post
Share on other sites
adrynalyne
20 minutes ago, EJocys said:

See. We don't agree even on what sensitive data is. I think that information about bank (clearly supplied in URL), I hold my accounts in, is sensitive data, because it allows more precise targeting for hackers. Since requests to external URL include not only bank host name, but path and query (GET data) this means that much more than just bank name is sent to third party.

It doe not end here. Web browser gets reply as a JavaScript and this opens possibilities to request any data from the page on demand. I used that method myself to override functions on remote clients, it was legal because my code was not coming from third party and was used to fix broken functions I could not deploy onto to remote client. I knew what I could do with my "workaround" and how to bypass cross-domain restriction when submitting data to third parties and this is exactly why I don't feel comfortable when Kaspersky is using similar method.

 

> Your links don't work. I don't know why you thought they would.

 

These links return data to browser only when Kaspersky add-on handles them, which is perfectly expected. It is up to Kaspersky to refresh them and decide who gets cashed content and who get updated version directly or indirectly from the Internet.

 

If that was sensitive to you, then I don't know what to tell you. Thousands (more?) use that same URL...

Link to post
Share on other sites
EJocys
2 hours ago, adrynalyne said:

If that was sensitive to you, then I don't know what to tell you. Thousands (more?) use that same URL...

Amount of users does not make information non-sensitive. Pornhub users would agree. :)

Link to post
Share on other sites
adrynalyne
39 minutes ago, EJocys said:

Amount of users does not make information non-sensitive. Pornhub users would agree. :)

It isn't sensitive nor private if everyone uses it. 

 

Do you feel the same about Google.com? It isn't any different. 

Link to post
Share on other sites
EJocys
39 minutes ago, adrynalyne said:

It isn't sensitive nor private if everyone uses it. 

 

Do you feel the same about Google.com? It isn't any different. 

Sensitivity of data doesn't depend on popularity of the website. There is a difference between information that you are visiting google and information on what you are looking for. If person is nobody, then he is safe, because nobody gives a ###### what he is doing, but information gives ability to use blackmail if it is private and person holds some decision power. For example person from the government who is using online cheating or some other kinky site, person who is looking at his medical records, or gay politician who is visiting gay sites and lives in a country with strict sharia laws. There are sites which use URL query to pass private data when using HTTPS, especially web sites with REST design. Also to note: You managed to ignore important part that, that URL to Kaspersky included not just domain name but full path.

 

P.S.: I must admit that system, designed by Kaspersky is actually brilliant, because if Kaspersky allows browser to make full request then Russian Secret services can enable spying and hacking on any client of their choosing. This system potentially allows to kill and infect all Kapsersky protected PCs in a single move if cyber attack by government is necessary. Why? because, according to web browser debug logs, every web browser "protected" by Kaspersky tries to get out and call the mothership. And you can't just refuse to visit some "infected" site, because browser tries to make this call for every site.

Link to post
Share on other sites
adrynalyne
2 minutes ago, EJocys said:

Sensitivity of data doesn't depend on popularity of the website. There is a difference between information that you are visiting google and information on what you are looking for. If person is nobody, then he is safe, because nobody gives a ###### what he is doing, but information gives ability to use blackmail if it is private and person holds some decision power. For example person from the government who is using online cheating or some other kinky site, person who is looking at his medical records, or gay politician who is visiting gay sites and lives in a country with strict sharia laws. There are sites which use URL query to pass private data when using HTTPS, especially web sites with REST design. Also to note: You managed to ignore important part that, that URL to Kaspersky included not just domain name but full path.

 

P.S.: I must admit that system, designed by Kaspersky is actually brilliant, because if Kaspersky allows browser to make full request then Russian Secret services can enable spying and hacking on any client of their choosing. This system potentially allows to kill and infect all Kapsersky protected PCs in a single move if cyber attack by government is necessary. Why? because, according to web browser debug logs, every web browser "protected" by Kaspersky tries to get out and call the mothership. And you can't just refuse to visit some "infected" site, because browser tries to make this call for every site.

I'm done. Your PS statement is absolutely ridiculous. 

Link to post
Share on other sites
EJocys
17 minutes ago, adrynalyne said:

I'm done. Your PS statement is absolutely ridiculous. 

Which part is ridiculous exactly? Because everything is supported by evidence. Please explain why Kaspersky choose to force browser to make request to domain name which points to external source on the internet when 127.0.0.1 would be fine and much more secure? Do you think that they made this mistake because they are stupid? Maybe you need a reality check and realize that Russia is under sanctions, because their government is not known for their moral behaviour. It is not ridiculous, it would be perfectly normal behaviour for a country which fights hybrid wars with other countries and constantly lies on TV channels owned by the government.

Edited by EJocys
Link to post
Share on other sites
+jnelsoninjax
12 hours ago, EJocys said:

So, if you have Kaspersky on your computer, then please open secure site like https://www.google.com, press F12 for debug mode, go into “Network” tab, refresh page, see for yourself and report your opinion.

 

Thank you.

Funny, I have Kaspersky Total Security and just did as you requested, and the only traffic that shows is to Google, nothing else, just Google.

Capture.PNG

Link to post
Share on other sites
+E.Worm Jimmy
9 minutes ago, EJocys said:

Which part is ridiculous exactly? Because everything is supported by evidence. Please explain why Kaspersky choose to force browser to make request to domain name which points to external source on the internet when 127.0.0.1 would be fine and much more secure? Do you think that they made this mistake because they are stupid? Maybe you need a reality check and realize that Russia is under sanctions, because their government is not known for their moral behaviour.

I have met Kaspersky, and his employees... By random chance.

 

At computing meetings in Russia.. In airplane, sitting next to them....

 

And i know i would not trust them.

 

I would not touch that antivirus with a 10 foot pole. 

 

If it is not the government... They are selling all your info to the highest bidder. That is a fact.

 

 

Link to post
Share on other sites
goretsky

Hello,

 

Perhaps the following would be of interest:

 

Quote

Kaspersky Lab would like to explain the injection of special script in web pages loaded in users’ browsers. This technology is going to replace the obsolete plugin technology in our consumer products launched or updated in 2015 and later on. The new protection technology adds a special script to a web page shown to the user, which does not send any data from the computer to third-party servers but works as a communication channel between the browser and our security solution. This interaction is performed in the form of sending requests to a special technical URL, which the browser interprets as addressing a remote server, however, instead of the remote server these special requests are handled by security solution, running locally. This means that no information leaves the computer via this script.


This technology is used by several components of Kaspersky Lab solutions for home users, including web antivirus, anti-phishing and Safe Money. As this technology was designed solely for the purpose of providing better protection, our products currently do not offer an option of disabling this script. However, our experts are currently working on modifications to the company’s solutions that will enable users to disable the script if they desire. This change may be included in forthcoming updates.

 

Source:  f.kis.scr, main.js javascript injection issue with Firefox, [merged with same]  (Kaspersky Lab Forum)

 

So, it looks like it is a normal part of their software.

 

Regards,

 

Aryeh Goretsky

 

 

 

  • Like 2
Link to post
Share on other sites
EJocys
6 hours ago, goretsky said:

Hello,

 

Perhaps the following would be of interest:

 

 

Source:  f.kis.scr, main.js javascript injection issue with Firefox, [merged with same]  (Kaspersky Lab Forum)

 

So, it looks like it is a normal part of their software.

 

Regards,

 

Aryeh Goretsky

 

 

 

That was very informative. Thank you.

 

Kaspersky claims that "requests are handled by security solution, running locally", but they do not explain why they decided to use live domains for local solution. If "security solution" was not intercepting then requests would go directly to their servers on The Internet. In the context, sentence "technology was designed solely for the purpose of providing better protection" sounds a little bit like "we are spying on you for your own protection" :).

 

P.S.: This reminded me to check if they conveniently forgot to remove something, after I uninstalled Kaspersky Anti-Virus. Antivirus scans content of HTTPS web sites by creating tunnel and having full access in unencrypted form, which is normal practice for firewalls. In order for web browser not display security warnings, Kaspersky installs security certificate into "Trusted Root Certification Authorities". Launched "certmgr.msc" and here it is - forgotten "Kaspersky Anti-Virus Personal Root Certificate". Removed.

  • Like 1
Link to post
Share on other sites
goretsky

Hello,

 

No idea about the decision to use live domains.  I would imagine there is some logical reason for this, though.  I've met a number of their researchers over the years and they're pretty sharp.

 

Decrypting encrypted streams to scan them is pretty standard behavior for anti-malware software these days.

 

Regards,

 

Aryeh Goretsky

 

  • Like 1
Link to post
Share on other sites
d5aqoëp

@OP

...and Windows 10 is sending all your data to US Federation. .... Drumroll !!

 

Doesn't matter. Your personal data is always going to end up at either side of the world the moment you plug that LAN cable or join wifi. Don't worry. Your data would be safe there :)

 

If you are really paranoid, back up and save that data to Baidu cloud too just to be safe.

Link to post
Share on other sites
EJocys
1 hour ago, goretsky said:

Hello,

 

No idea about the decision to use live domains.  I would imagine there is some logical reason for this, though.  I've met a number of their researchers over the years and they're pretty sharp.

 

Decrypting encrypted streams to scan them is pretty standard behavior for anti-malware software these days.

 

Regards,

 

Aryeh Goretsky

 

I agree that they are pretty sharp and I liked their product in general.

 

My tin-foil side thinks that script injection was created as a workaround to solve the legal issue i.e. to be able to make an official claim that Kaspersky is not sending customers data to Kaspersky servers. Technically they are correct. It is the browser, which is trying to send data to Kaspersky servers. Kaspersky antivirus is just giving ze orders :). Live domain means that Kaspersky use rules, which are responsible to identify which domains can pass through and which will be blocked. My wild guess would be that there is a way to edit these rules without recompiling the code. This would make product compatible with the countries where law requires access to tracking by the government.


People are forgetting that anti-virus software plays major role in cyber warfare. It is like missile defence system but against viruses and hacking. It would be naïve to think that governments are not interested in affecting antivirus products in order for it to give strategic advantage, especially knowing the fact that CEO of Kaspersky was educated in KGB sponsored facility and worked with FSB.

Link to post
Share on other sites
Alejandro779
On 8/21/2016 at 2:01 PM, EJocys said:

You don't understand the problem. Problem is that Kesperky injects scripts into encrypted content and browser tries to post data to external servers on the internet.

You dont undestand an a idea. 

 

If you visiting www.Santander-bank.com it will say STOP, instead of original santanderbank.com

 

And it checking ANY JS scripts of any hosts to worry you if host been hacked. As again STOP you paranoia and disable kaspersky at network setting if you dont like it.

http://support.kaspersky.com/us/9007#block2

12092_0413-274390.png

conflittorete.jpg

Link to post
Share on other sites
+Mirumir

If you are worried Obama or Google will take away or infringe upon your rights, move to Russia where the Russian ICBMs will protect you.

 

/trollface

  • Like 1
Link to post
Share on other sites
T3X4S

Oh man, just when I think I have seen all the crazy neowin has to offer...

 

  • Like 3
Link to post
Share on other sites
adrynalyne
7 minutes ago, T3X4S said:

Oh man, just when I think I have seen all the crazy neowin has to offer...

 

Never a dull moment, that's for sure. 

  • Like 1
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.