I tweeted:
@thegrugq Israelis they hacked Kerspersky, saw Russians there, tell NSA, lots of he, they, we say, few facts.
[T]the grugq @thegrugq responded with the best question on the Kaspersky story:
What would count as a fact here? Kaspersky publicised the hack when it happened. Does that count as a fact?
What counts as a fact is central to my claim that thus far, all we have seen is fact-free reporting on the alleged use of Kaspersky Lab software to obtain NSA tools.
Opinions are reported but not facts you could give to an expert like Bruce Schneier ask for an opinion.
What would I think of as “facts” in this case?
What did Israeli intelligence allegedly see when it hacked into Kaspersky Lab?
Not some of the data, not part of the data, but a record of all the data seen upon which they then concluded the Russians were using it to search for NSA software.
To the automatic objection this was a “secret intelligence operation,” let me point out that without that evidence, the NSA and anyone else further down the chain of distribution of the Israeli opinion, were being manipulated by that opinion in the absence of facts.
Just as the NSA wants to foist its opinion on the public, through unnamed sources, without any evidence for the public to form its own opinion based on facts.
The prevention of contrary opinions or avoiding questioning of an opinion, can only be achieved by blocking access to the alleged evidence that “supports” the opinion.
Without any “facts” to speak of, the Department of Homeland Security, is attempting to govern all federal agencies and their use of Kaspersky security software.
Stating the converse, how do you dispute claims made by unnamed sources that say the Israelis saw the Russians using Kaspersky Lab software to look for NSA software?
The obvious answer is that you can’t. There are no facts to check, no data to examine, and that, in my opinion, is intentional.
PS: If you want to steal NSA software, history says the easiest route is to become an NSA contractor. Much simpler than hacking anti-virus software, then using it to identify likely computers, then hacking identified computers. Plus, you paid vacation every year until you are caught. Who can argue with that?