Is it though? If you work on cybersecurity for a state actor or have the threat level of Edward Snowden maybe that’s a reason but, not using a program because a state actor won’t use it is more likely a misunderstanding of ones threat model then good practice.
I would never say to use a program you dont trust but I think its silly to create unsubstantiated claims as reasons to not use something. Even in the sources you provided its pretty 50/50 on whether Kaspersky is trusted by state actors, for example
Now Germany later ended their relationship, 5 years after the first two articles you sited. Which apparently was a decision made for non-technical reasons.
Kaspersky said it would seek clarification from the BSI on its decision, which was “not based on a technical assessment of Kaspersky products”, and how to address its concerns.
I think you are, as you seem to make a state actors threat level the common denominator. When in reality most people have far less a reason to be concerned by using a tool from Kaspersky as someone from US Intelligence does. Does it seem reasonable to assume OPs father has the same threat model as a member of the US intelligence? I don’t think so.
Maybe not. But services that located in not privacy friendly countries should be avoided, services that located in privacy intrusive countries especially. If that services not open source and located in such countries we have no guarantee that there is nothing malicious and definitely should be avoided.
There is also article about their shady practices and scandal about that company. There also be a security problem in that software which I suspect as backdoor.
If you don’t want to read all that articles here is summary generated by ChatGPT
Investigation and Congressional Hearing: The U.S. House Committee on Science, Space and Technology held a hearing into the risks posed by Kaspersky Lab products, following allegations of the company’s ties to the Russian government. The committee’s focus included whether Kaspersky Lab was working with the Russian government, and if Kremlin spies had compromised the antivirus software. Despite the hearing, no new information emerged, and no representatives from Kaspersky Lab testified 1.
Security Concerns: There have been reports suggesting that Kaspersky software may have been used by Russians to steal NSA secrets from a staffer’s home laptop. The antivirus scanner detected NSA hacking tools that ended up in the hands of the Kremlin. Additionally, Israeli intelligence allegedly caught Russian hackers using Kaspersky Lab’s antivirus software to search for secret files in real time 1.
Internal Investigation and Transparency Initiative: Following the controversy, Kaspersky Lab launched an internal investigation and promised a transparency initiative, allowing an independent third-party review of its software, including the source code, update code, and threat detection rules. The company’s founder, Eugene Kaspersky, argued that the allegations were false and that the internal investigation confirmed no involvement in cyber-espionage 1.
Antivirus Functionality and Usage: Despite the controversy, Kaspersky’s antivirus software performs well for most users, effectively blocking ransomware, trojans, and malware. However, for individuals with sensitive data, there’s a heightened risk due to the allegations and the potential for misuse of the software 1.
Blacklisting by U.S. Government Entities: The U.S. Senate passed a bill banning Kaspersky software from all federal computers as part of the annual defense budget. The Department of Homeland Security ordered federal agencies to remove Kaspersky software from their computer systems. Stores like Best Buy, Office Depot, and Staples followed suit 1.
FCC Labeling: The Federal Communications Commission (FCC) labeled Kaspersky Lab as an “unacceptable” national security risk to the U.S., marking the first time a Russian company was blacklisted. This decision prevents U.S. companies from using subsidies from the FCC’s Universal Service Fund for purchasing products and services from Kaspersky 5.
Eugene Kaspersky’s Background: While not directly linked to the controversy, Eugene Kaspersky’s background has been highlighted. He attended a technical university run by the KGB and worked for military intelligence for four years, which critics argue could imply ties to the Russian government 4.
International Use and Support: Despite domestic controversies, Kaspersky Lab continues to operate internationally. For instance, Interpol cooperated with Kaspersky, and Germany’s federal cyberagency uses its software. However, the company’s reputation has been damaged in the eyes of the U.S. government
It feels a bit ironic that you are fine using ChatGPT while making arguments against closed source software with security and privacy concerns
This is a pretty broad generalization, can you give me a few countries you would define as “privacy friendly”? A lot of what your argument seems to be revolved around is what the US government says. Do you really consider the US to be a privacy friendly country? That track record is spotty at best.
I understand that there are legit concerns with Kaspersky but, they all seem to be around having the AV installed, which I never recommended doing.
Even in the articles you cited, the fact that its AV was able to pick up secret NSA hacking tools maybe as much of a argument for using Kaspersky as against it.
In 2015, the antivirus scanner picked up the NSA’s hacking tools
Tools most likely used by the US government to spy on its own citizens.
It also adds to the many legitimate malware finds the company has made, which is why using something like KVRT for malware removal, works so well. They have shown time and again they know what they are doing.
The EU seems like a pretty broad catagory and privacy laws differ drastically. For example, I would not consider Italy to be a privacy friendly country. I don’t need to go over countries one by one but I think its a slippery slope to lump all 27 member states as being “privacy friendly”.
The source about Italy you cite seems to be a political move.
Italy’s state cybersecurity agency said there was no evidence products provided by companies linked to Russia had been compromised since the Feb. 24 invasion of Ukraine.
The UK article you site is 5 years old and even Barclays specifies in the article
there’s nothing to suggest customers need to stop using Kaspersky.
Which goes back to what I was saying about knowing your threat model. The issues you bring up are not a concern for the average citizen who does not work in the intellegince industry.
The Canadian source also seems to be political as they admit they have not found any actual issues.
While the risks of using these applications are clear, we have no evidence that government information has been compromised.
Ukraine banning a Russian product, do you really think that has anything to do with Kaspersky?
The Lithuania and Dutch sources do not offer much in terms of details but all these countries just so happened to decide Kaspersky was a threat only after they got into a proxy war with Russia. Motive for these actions need to be considered.
Lots of good advice in this thread, will throw in my 2 cents.
Depending on your use case. Want to setup and forget? Chromebook is the easiest, as it’s basically just a web browser, followed by MacOS. If you are going with Windows, then you’ll likely want to lock down policies and disable possible foot guns. Won’t go into detail unless you need to.
Regardless of OS, installing uBlock on all browsers is a quick win to stop most online adverts.
Next, a password manager is a great option, but you’ll need to teach them how to use it. Pick one that has great integrations and super easy to use. Install the web extension, mobile app, the works.
Finally, if using Windows, only let yourself be admin as others have mentioned. Installing new apps isn’t super duper common after initial setup for basic use cases.
Lastly, I think phishing is gonna be your biggest threat, especially for older family members. No 100% bullet proof way around this.
Adguard DNS might be a good bonus, but realistically ublock origin will catch most of this.
How does Adguard stop phishing emails? Emails go to your email server, then you read your inbox. Not sure if they have some extension or something. Maybe they can catch cases that ublock wont, but social engineering can just be a phone call or gift card transfer over email. You’ll need a great spam filter on email, which is kind of up to the provider. I’d sadly think that Gmail has a great spam filter since they can train their spam algorithm on troves of data.
shrug that is just something that can happen. Sometimes it’s not a matter of if it happens, but when it happens. Hence locking down the OS. In these cases, I’d disable RDP on windows and completely disable the option to enable it. But this won’t stop anyone from being social engineered, just mitigate the computer attack surface.
Even spam phone calls are hard to block, and I’d argue some phone spam filter / secure options on the families phones would be so much better than setting up with Adguard. I block unknown numbers on my phone - if you need me, leave a voice mail.
At some point education becomes a part of security too. Security starts with people, not just tech.
But to harken back, security isn’t privacy, and while many who know privacy also know security, there are sometimes recommendations for security that don’t always align with privacy. I think OP has somewhat conflated the two together, and I think there should be a clear distinction when asking questions if it’s for one, the other, or maybe some middle ground. OP is mentioning the worries of telemetry of companies and then is worried about malware and phishing.
Solve one problem at a time - the more infrastructure a person has setup, the more that person will have to maintain. If someone does not know what they are doing, it’ll just become a huge pain in the ass when something doesn’t work.
OP doesn’t need proton mail for their family. Adguard is a nice to have but not needed. 2FA is great. What OP should focus on is not letting their family get pwned and focus on what can stop that. Privacy can come after that, at least in my opinion, and doesn’t have to be a chips all in update.
This is good repository with some threats lists. It is better to block anything that you don’t need. Also it will be good to create filter for listed there suspicious subjects to reject mails.
I understand this, sorry I did not make it clear, security is 100% prioritised over privacy. I will revise my post. Secondly, these tips should not be exclusive to my family, they should be advice you would implement on your own family, so that others can benefit from this post. I included some examples from my family just for the sake of it.
Update: my post has been completely revised. It was previously awfully written. I have integrated and summarised the community’s solutions and advice within my post.
I have added two questions:
Is it viable to install ChromeOS on a PC that comes with Windows natively? On such a device, wouldn’t Windows take better advantage of the hardware?
What web browser should our non-tech savvy family members to use, e.g., Brave, Chrome or Edge? I am guessing this will depend on the operating system, Chrome for ChromeOS, Edge for Windows and so on.
It depends on many things (like your knowledge on how to replace OS, your hardware), but general answer is no, its not viable to touch preinstalled OS.
Technically CRos is better than windows. Because for windows is plenty of malware + it is sending telemetry to Microsoft. On Linux, CRos, Android or other Linux core based systems, is simply harder to be infected by malware.
Firefox or Brave.
Chrome by Google is too privacy intrusive. Edge similar.
If they wanna use something that looks like chrome they can use Chromium (do not confuse with Google Chrome!)
Not really. They linked to apple servers, so this is not the best. But if you don’t want to bother yourself with settings-yes.
For your specific use case that doesn’t matter IMHO. Your primary concern is an easy to operate, secure OS that they cannot easily mess up and that you can fix in minutes.
Be aware that many distro’s chromium builds are not well done and don’t provide the same security as Chrome. Also it lacks most privacy features you can get with Brave by default.
