For context (that of course is buried far from the title), Kaspersky is a Russian company and Apple, being an American one, is subject to the embargo and sanction list of the USA:
> While Kaspersky is a multi-national company, it was founded and headquartered in Russia, a country the United States has heavily sanctioned due to the war in Ukraine. This could severely restrict financial transactions between U.S. companies and those in the region.
> Additionally, per Apple Security Bounty’s terms and conditions, “Apple Security Bounty awards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.”
> Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation.
I just don’t get why Apple wouldn’t cite the law if that’s the reason? Surely doesn’t look good on them if they’re just holding back bounties for undisclosed reasons.
That would be seen as payment to a sanctioned entity, right? Just because you donated the award to charity doesn’t mean it isn’t considered a transaction on behalf of a sanctioned entity.
I don't understand the Apple's reasoning. Keeping Kaspersky on side ought to be top priority for next time it happens the info might not be so forthcoming. Apple could easily dispose of the money in ways that showed it would pay if it could. And, to Apple, the amount isn't even small change.
Apple runs on PR and it would be very easy to lose control of the narrative. It’s a touchy subject and the nuance here revolves around things the average news consumer probably lacks context on.
There’s a very real chance that headlines of the variety “Apple makes donation to charity to pay Russian hackers” float around. It’s not even wrong (though it lacks a lot of context).
I’m doubtful Kaspersky is even that mad about it; they knew they weren’t getting paid at the outset.
Does it seem unusual? What is your usual experience with organisations based in a sanctioned country asking for a donation to charity in lieu of a bug bounty payment? It sounds like you have an interesting and unique perspective to share.
I've always felt sorry for Kaspersky. The leadership seems to have put together a company that's about as ethical, in culture and in the general sweep of its actions, as you can ever find in the industry. Their products tend to be in the upper tier in terms of delivering what they promise. They try to behave like "good citizens".
But the company constantly gets squeezed between trying to fight obnoxious demands from the Russian government (including, I suspect, by not expanding into businesses where those demands would be un-resistable), and trying to fight suspicion from everybody else.
Kaspersky's founder is known to openly work for KGB.
> At the age of 16, Kaspersky entered a five-year program with The Technical Faculty of the KGB Higher School,[14][15] which prepared intelligence officers for the Russian military and KGB.[6][7] He graduated in 1987[14] with a degree in mathematical engineering and computer technology.[3][7] After graduating college, Kaspersky served the Soviet military intelligence service [5] as a software engineer.
George Washington was "openly" in the British colonial forces (and for that matter Robert E. Lee was in the Union army, and Mao Zedong was in the RoC revolutionary army).
I knew dozens of people in my computer security career who'd "openly" been in technical branches of the (mostly US) military, or done classified work for defense contractors, or in a few cases who had worked for outright spy agencies (on what I do not know). Maybe a handful of them might have still been not-openly working for those agencies; most almost certainly were not.
Many of them were still obviously sympathetic to those agencies' agendas. That did not necessarily extend to helping them out in any way (although sometimes it definitely did). A few sure seemed exactly the opposite, and if they were in deep cover, they probably could have served that goal better by just keeping their mouths shut. In a few cases they helped to build organizational or technical structures that clearly would have made it harder for anybody, including the agencies they'd previously worked for, to subvert their new employers' security guarantees.
So, 35+ years ago, at 16, Kaspersky took what was probably the only technical education opportunity available to him in Soviet Russia(TM). At maybe 20, he took what was probably the only job available to him. Going by that same Wikipedia article, apparently within a year or two, he moved to private industry (such as it was in that place and time). That included getting an early release from military service (not sure how that interacted with the dissolution of the USSR, which happened at more or less the same time).
That's par for the course.
It is very, very hard to find a person or company in that space that's squeaky clean, has no conflicts of interest, and/or has no ties at all with any government or government agency you might be afraid of.
If it's a large company (bigger than Kaspersky), and has been around a while, there's a real chance that it's released products with all kinds of weird back doors, with and/or without the knowledge of its executive management. Maybe even back doors for multiple competing actors. And at the same time it may release many more products that don't have them.
I don't think Kaspersky (the man) is some kind of revolutionary, nor do I think Kaspersky (the company) is going to openly defy the Russian government. I also don't think that their trustworthiness couldn't change at any given time. I do think that they're at least averagely "good". And I think that they get way more than their share of paranoia, with tons of people just assuming that they've "always" done things with their products that, frankly, they couldn't realistically have gotten away with doing.
Even if they could, I doubt Apple wants anything they could be remotely construed as attempting to bypass said sanctions. Even if everything is above board, there’s also the risk of it being used as a sound bite by a politician to sway the public. So however ridiculous it might seem at face value, from their perspective it makes total sense to just not even touch the problem at all with a 10 thousand foot pole
You run a bug bounty program. When you set it up you talked with a bunch of lawyers and they wrote the language saying that you can't run afoul of sanctions. But you'd like an exception so you shoot an email to the lawyer for your organization. "Hey Alice, I'd like some legal advice. I know the law says we can't pay companies in Russia but could we like, you know, set up a shell company that we can route some money through?"
Readit News
> While Kaspersky is a multi-national company, it was founded and headquartered in Russia, a country the United States has heavily sanctioned due to the war in Ukraine. This could severely restrict financial transactions between U.S. companies and those in the region.
> Additionally, per Apple Security Bounty’s terms and conditions, “Apple Security Bounty awards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.”
I just don’t get why Apple wouldn’t cite the law if that’s the reason? Surely doesn’t look good on them if they’re just holding back bounties for undisclosed reasons.
"Oh, you can't pay because we are in Russia, just pay to our Massachusetts subsidiary!"
Makes total sense to me.
Should be “Apple cannot legally pay bounty to Russian company due to sanctions.”
There’s a very real chance that headlines of the variety “Apple makes donation to charity to pay Russian hackers” float around. It’s not even wrong (though it lacks a lot of context).
I’m doubtful Kaspersky is even that mad about it; they knew they weren’t getting paid at the outset.
Well, as long as the charity is a legit thing and not some shady attempted workaround.
But the company constantly gets squeezed between trying to fight obnoxious demands from the Russian government (including, I suspect, by not expanding into businesses where those demands would be un-resistable), and trying to fight suspicion from everybody else.
> At the age of 16, Kaspersky entered a five-year program with The Technical Faculty of the KGB Higher School,[14][15] which prepared intelligence officers for the Russian military and KGB.[6][7] He graduated in 1987[14] with a degree in mathematical engineering and computer technology.[3][7] After graduating college, Kaspersky served the Soviet military intelligence service [5] as a software engineer.
https://en.wikipedia.org/wiki/Eugene_Kaspersky#:~:text=At%20....
I knew dozens of people in my computer security career who'd "openly" been in technical branches of the (mostly US) military, or done classified work for defense contractors, or in a few cases who had worked for outright spy agencies (on what I do not know). Maybe a handful of them might have still been not-openly working for those agencies; most almost certainly were not.
Many of them were still obviously sympathetic to those agencies' agendas. That did not necessarily extend to helping them out in any way (although sometimes it definitely did). A few sure seemed exactly the opposite, and if they were in deep cover, they probably could have served that goal better by just keeping their mouths shut. In a few cases they helped to build organizational or technical structures that clearly would have made it harder for anybody, including the agencies they'd previously worked for, to subvert their new employers' security guarantees.
So, 35+ years ago, at 16, Kaspersky took what was probably the only technical education opportunity available to him in Soviet Russia(TM). At maybe 20, he took what was probably the only job available to him. Going by that same Wikipedia article, apparently within a year or two, he moved to private industry (such as it was in that place and time). That included getting an early release from military service (not sure how that interacted with the dissolution of the USSR, which happened at more or less the same time).
That's par for the course.
It is very, very hard to find a person or company in that space that's squeaky clean, has no conflicts of interest, and/or has no ties at all with any government or government agency you might be afraid of.
If it's a large company (bigger than Kaspersky), and has been around a while, there's a real chance that it's released products with all kinds of weird back doors, with and/or without the knowledge of its executive management. Maybe even back doors for multiple competing actors. And at the same time it may release many more products that don't have them.
I don't think Kaspersky (the man) is some kind of revolutionary, nor do I think Kaspersky (the company) is going to openly defy the Russian government. I also don't think that their trustworthiness couldn't change at any given time. I do think that they're at least averagely "good". And I think that they get way more than their share of paranoia, with tons of people just assuming that they've "always" done things with their products that, frankly, they couldn't realistically have gotten away with doing.
You run a bug bounty program. When you set it up you talked with a bunch of lawyers and they wrote the language saying that you can't run afoul of sanctions. But you'd like an exception so you shoot an email to the lawyer for your organization. "Hey Alice, I'd like some legal advice. I know the law says we can't pay companies in Russia but could we like, you know, set up a shell company that we can route some money through?"
https://www.zdnet.com/article/log4j-chinese-regulators-suspe...