Gene Kaspersky’s anti-virus software has been banned from being used by the Federal government mostly because an NSA software developer went “off the reservation”, took some classified software home and loaded it on a personally owned PC running Kaspersky’s AV software configured by the developer to share potentially malicious software with Kaspersky, thereby compromising an entire development project (see article here).
That was enough to get Kaspersky’s software banned from the government.
In the meantime, it appears, the FBI and 18,000 other law enforcement agencies are running fingerprint software developed by a French company who partnered, secretly, with a Russian company.
The Russian company has closes ties to Putin, The Kremlin and the FSB.
The FBI opted to buy the fingerprint software from Paris based Safran rather than from a U.S. based company.
The Paris company partnered with Russian company Papillion to improve its software capabilities but decided to keep that fact completely secret. Papillion boasts on its web site about working with the FSB, the successor to the KGB. In the agreement between the two companies, it says that they need to keep the agreement secret because if it came out that the Russian software was in use it might doom the French company’s bid.
Apparently, according to documents which are part of a whistleblower lawsuit, the Russian company signed a document that there were no backdoors in their code. That, I am sure, will handle all issues.
At risk here is the fingerprint and related data of tens of millions of Americans and others who’s fingerprints are stored by those 18,000 law enforcement agencies.
After all, if the FSB front company signed a piece of paper that their software had no backdoors in it, surely they would not lie about something like that, would they?
As the whistleblower suit proceeds we will know more.
I also assume that FBI, NSA and contractor software and security experts are pouring through that software with a high power microscope.
However, one more time, it points out the critical nature of understanding the software supply chain. Every piece of software developed has a software supply chain and we can certainly cover our eyes and pretend it is not a problem. I don’t think that is working out so well for the FBI right now.
Information for this post came from Buzzfeed.