The war in Ukraine that broke out in late February 2022 forces me to tell you to shut down, uninstall, and replace any software built in Russia that is on any computer you control. I am not the only one saying this. The caution applies especially to anti-virus and malware utilities and Virtual Private Network (VPN) tools.
Anti-virus and malware tools must have access to everything on a computer and they are remotely updated almost every day, which makes them dangerous if they are subject to unscrupulous interference. Virtual Private Networks are used to make network traffic harder to snoop on and more secure. They can be dangerous because their manufacturer may have access to all your network traffic. Most apps only access their own network traffic.
If you are sympathetic to the plight of the Ukraine, getting rid of Russian software is a way to place your own economic sanction on the invaders. Giving up Russian vodka and caviar is another way.
If you don’t care about Ukraine, you have still have another critical reason to act.
You must understand that your computing systems depend on the honesty and integrity of the manufacturers of the software running on your computer. Vulnerabilities, security weaknesses, are discovered in software from reputable software houses all the time. Most of these are mistakes, but some are software features, functionality that makes us want to buy software. But some of these features give manufacturers extraordinary power over systems.
This is not all bad. Software design frequently trades off between security and efficiency or convenience. A classic book on software design, Design Patterns, describes building blocks for designing reusable software modules, including patterns for making data and processes accessible throughout a system. These accessibility building blocks make a system more efficient, but less secure because a tiny breach can open up an entire system. The security of well-designed systems depends on the integrity and care taken by their manufacturers to strike the right balance. A careless or unscrupulous manufacturer can release scandalously insecure applications that the market will lap up, until the disastrous insecurity is discovered and a crisis ensues.
For example, a password reset provision in an application is a great convenience, and nearly a requirement for any commercial product. Yet password reset is a gaping security hole when the wrong hands are able to invite unauthorized actors into a system by changing passwords. Remote access for support is another required feature for most systems that becomes a weapon when a criminal uses it to take over.
Backdoors—routes into an application known only to developers—used to be common. Backdoors are now considered extremely bad practice, but some developers still use them to save time during development. But the last few weeks before release are often the most hectic of the entire software development cycle. Unless management insists, removing backdoors can be neglected by busy developers working long hours. The software user’s only protection from secret backdoor access is the integrity and honesty of the software manufacturer.
This is why I continually tell folks to be careful about what they install on their computers. Only install apps from reputable vendors. Don’t just assume a vendor is reputable; actively check them out.
Some, perhaps most, Russian software companies are honest and do not intend to exploit their customers. However, all businesses operating in Russia are subject to coercion by their government. That’s the way business now works in that country. If the Russian government wants a backdoor into an application, they can compel a Russian company to put one in. Since the war in Ukraine started, the pressures can only have increased.
Doing business in Russia differs from business in western countries like the United States, Canada, and the European Union. Government and private abuses do occur here, but we have a free press, whistle blower protection, and a tradition of following laws that are scrutinized by the public and changed when enough people oppose them. Maybe not fast enough, often enough, or exactly the way each of us might agree with, but the public eventually is heard in western governments.
With the Ukraine war, public oversight and rule of law in Russia has disappeared. You may argue that it was never present, but your computer is still in jeopardy if you are running Russia-built software. Your home computer could conceivably become an instrument in a cyberattack on western or Ukrainian infrastructure. Compromised home computers have played roles in criminal attempts to shut down servers by overwhelming them with traffic.
I don’t like blacklists and I will not publish a Russia blacklist here. I urge everyone to add checking for Russian involvement as part of their due diligence for installing software on their computer. As much as I admire Chinese traditional culture, I have also added the People’s Republic of China to my due diligence list. North Korea goes without saying, but I’ve never seen a North Korean software product.
For example, Kaspersky Internet Security is a popular and powerful anti-virus tool. Run a Google Search on “Kaspersky Internet Security Russia” and see dozens of items on the dangers of Kaspersky. Wikipedia has a “Software companies of Russia” page. These provide useful hints.
Ultimately, in this age of misinformation, you have to rely on research and judgement.
I am a cautious person by nature and do a lot of research. Along with reading software reviews, I go to the website of software houses I suspect and check their corporate pages.
Is their stock publicly traded? I tend to be less suspicious of companies traded on the Nasdaq or New York stock exchanges. The Securities and Exchange Commission (SEC) and the Federal Trade Commission help keep them honest, although foreign investment is allowed. Privately held corporations and those on foreign exchanges get more scrutiny from me.
Where is their company headquarters? Where do their officers and members of their board of directors live? Where are their development labs? Most large software companies now have labs all over the world, but a company with most of their developers in Russia attracts my suspicion. Check their jobs listing. Where are they recruiting? What does the trade press say about the company?
Triangulate multiple sources. The fact-checker’s rule of thumb is that any point not supported by three independent sources requires more examination. Be extra cautious when a piece “just sounds right.” That may be your preconceived bias speaking to you, a frequent source of bad decisions.
When my suspicions are aroused, I must have a good reason to install or continue to use the company’s software on my systems.
Be careful, folks.
A note of thanks to my friend from the Whatcom County Library System, Neil McKay, for edits and useful comments.