×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VMware Confirms Source Code Leak

samzenpus posted about 2 years ago | from the like-a-sieve dept.

Security 109

Gunkerty Jeb writes "Purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to 'Hardcore Charlie,' an anonymous hacker who has claimed responsibility for the hacks. In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

109 comments

Nationality of hackers? (4, Interesting)

noh8rz3 (2593935) | about 2 years ago | (#39801317)

Hmm, I wonder where the hackers are based, and if it is state sponsored. Software code is the bet industrial espionage, because you can re-implement it yourself. My prediction - keep an eye onn the market to see who's the first to release a VMware clone!

Re:Nationality of hackers? (1)

Anonymous Coward | about 2 years ago | (#39801397)

You can't really identify who's the culprit if the code is already leaked on the internets...anyone can just take the code and build from there, even if they were never involved in the hacking/leaking that took place.

Reason of hacking ? (1)

Taco Cowboy (5327) | about 2 years ago | (#39802417)

I am quoting tfa from arstechnica:

the hacker Hardcore Charlie told Reuters earlier this month that he hacked into CEIEC seeking information on the US military campaign in Afghanistan

Apparently that hacker hacked into CEIEC - a Chinese military contractor, - looking for information on US military campaign in Afghanistan

It's like hacking into the system owned by Palestinians looking for information regarding Israelis military campaign

Makes a lot of sense, doesn't it?

Re:Reason of hacking ? (3, Insightful)

Luckyo (1726890) | about 2 years ago | (#39802671)

Not really. China has a lot of intel presence in the region, and unlike US it will likely be less secure because it's not intel about THEIR OWN important operations.

So it makes a lot of sense to go after China's data on US Afghan operations.

Re:Reason of hacking ? (0)

Anonymous Coward | about 2 years ago | (#39804029)

It's like hacking into the system owned by Palestinians looking for information regarding Israelis military campaign
Makes a lot of sense, doesn't it?

Palestine has a lot of resources dedicated to obtaining Israel's State secrets.

If you can't break into the bank vault, wait for the other guy to rob it and steal it from him instead.
 

Re:Nationality of hackers? (0)

Anonymous Coward | about 2 years ago | (#39801569)

keep an eye onn the market to see who's the first to release a VMware clone

You mean like Xen, KVM, and Hyper-V?

Re:Nationality of hackers? (1)

Alien Being (18488) | about 2 years ago | (#39802631)

It doesn't really matter. China will gladly allow their country to profit from this theft while America will continue to bend over and take an ass-fucking by paying good money to them for chintz.

Re:Nationality of hackers? (-1)

Anonymous Coward | about 2 years ago | (#39802995)

It doesn't really matter. China will gladly allow their country to profit from this theft while America will continue to bend over and take an ass-fucking by paying good money to them for chinks .

Ftfy?

Not Just VMWare (1)

Anonymous Coward | about 2 years ago | (#39807041)

Other VMs had source leaks, too.

Xen [xen.org] had a source leak.
Virtualbox [virtualbox.org] had a source leak.
Even KVM [linux-kvm.org] had a source leak.

These VM people better get their act together!

Re:Nationality of hackers? (1)

SurfsUp (11523) | about 2 years ago | (#39808677)

It sure smells like the same group that hacked Google, using laptops running Windows inside the corporate network as the attack vector. Google's solution was to ban Windows on laptops inside the corporate network (which now requires authorization from a VP) and VMware should do that too.

Wait, Vmware code stolen from China Military (5, Interesting)

icebike (68054) | about 2 years ago | (#39801323)

Talk about burying the lead!

This VMware source code reportedly was stolen from Chinese military contractor CEIEC, the China National Electronics Import-Export Corporation. VMware code wasn't the only target.

What was the the Chinese military contractor doing with the VMWare source code anyway? And what other software packages were affected?
Hackers hack, that's what they do. But Chinese military contractors with VMWare source code in hand seems a much bigger story if you ask me. Did they have a license to it? Can anyone get a license to it? And if so, why is this a big deal?

Vmware says:

VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.

They can't have it both ways, stating in the same memo that the code was stolen and also "proactively shared". What the heck does proactively shared mean any way? Sending out sensitive hyper-visor source code to foreign military contractors seems at best, ill advised, but then to turn around and act all surprised and defensive when someone steals it from them seems a bit of a stretch.

Re:Wait, Vmware code stolen from China Military (1)

jhoegl (638955) | about 2 years ago | (#39801347)

Where did you see the picture which showed their surprise?
Anyways, it looks like VMWare is going open source soon!

Re:Wait, Vmware code stolen from China Military (-1)

icebike (68054) | about 2 years ago | (#39801391)

Anyways, it looks like VMWare is going open source soon!

Soon? You mean already.

Much, but not all, of Vmware has long been opensource.
But you don't put out security bulletins [vmware.com] when your opensource is stolen, now do you?

Re:Wait, Vmware code stolen from China Military (5, Informative)

bertok (226922) | about 2 years ago | (#39801777)

Who modded this informative?

VMware has mostly proprietary products. What little open source they have is there only because they are forced to by their use of Linux in ESX.

All of their core products are completely closed source, and released as binary only.

They are about as open source as Microsoft.

Re:Wait, Vmware code stolen from China Military (4, Informative)

Junta (36770) | about 2 years ago | (#39801835)

Close enough to be accurate, but they do have some incidental open source content that isn't related at all to Linux kernel or userland. For example, their multiboot boot loader is open source and multiboot module boot has zero applicability to a linux system. But still none of the 'meat' of their products is open source, just things like administrative utilities and boot loader and other necessary fluff that provides no value for vmware..

Re:Wait, Vmware code stolen from China Military (1)

jd2112 (1535857) | about 2 years ago | (#39802493)

Not forced, just easier to use an existing OS with wide hardware support than to roll thier own including a gazillion device drivers.

Re:Wait, Vmware code stolen from China Military (1)

bill_mcgonigle (4333) | about 2 years ago | (#39803681)

All of their core products are completely closed source, and released as binary only.

ESX is now open source, but only for the bad guys.

*non-OSI definition

Re:Wait, Vmware code stolen from China Military (1)

Mana Mana (16072) | about 2 years ago | (#39805465)

> Who modded this informative?

Indeed!

> All of their core products are completely closed source

To peons like you and I: yes.

> They are about as open source as Microsoft.

Funny. You must be new around here. The bigs will share their secret sauce with clients---if they are BIG enough. MS has shared Windows code with China---going back years, check the /. archives---e.g., to ease Chinese fears there are no back doors for the USA to spy on them. Ironical, I know. *G*

Re:Wait, Vmware code stolen from China Military (1)

RCL (891376) | about 2 years ago | (#39806779)

They shared the sources with Russia as well, for similar reasons (to obtain necessary certificates).

Re:Wait, Vmware code stolen from China Military (0)

twotailakitsune (1229480) | about 2 years ago | (#39801413)

They want virtualization to grow. Shareing their code with other people working in the virtualization industry improves code both ways. Here they are talking about people who have little reason to improve the industry. The code can be used to censer people. Like Nuke power. It can be used for good. Bad people could use it for good too, but they are more likely to use for evil.

Re:Wait, Vmware code stolen from China Military (1)

X0563511 (793323) | about 2 years ago | (#39801533)

The code can be used to censer people.

Care to explain how that one works? It's a hypervisor.

Re:Wait, Vmware code stolen from China Military (2)

VoidCrow (836595) | about 2 years ago | (#39802081)

Perhaps if it runs a virtual machine simulating an environment in which the incense might be lit?

Re:Wait, Vmware code stolen from China Military (4, Informative)

rsmith-mac (639075) | about 2 years ago | (#39801421)

What was the the Chinese military contractor doing with the VMWare source code anyway?

VMWare routinely shares its source code with major customers, particularly those that need it to add support for new hardware. There's no reason to believe that there aren't companies in China who need it for those purposes too.

Re:Wait, Vmware code stolen from China Military (1)

jd2112 (1535857) | about 2 years ago | (#39802505)

And to prove that the US (or other) government hasn't added code to spy on them, etc.

Re:Wait, Vmware code stolen from China Military (1)

spudnic (32107) | about 2 years ago | (#39803553)

So sharing source code proves this how? Couldn't they just include the spying mechanism before they create the binary that actually ships?

Re:Wait, Vmware code stolen from China Military (1)

Rebelgecko (893016) | about 2 years ago | (#39803791)

If you have the source, it's not very hard to create your own binaries

Re:Wait, Vmware code stolen from China Military (0)

Anonymous Coward | about 2 years ago | (#39804089)

Really? Try this for me. Build Firefox. Go ahead, just build it. Now, take your build and try to create an md5 identical version as the one you download from their site. Have fun with that. (Short summary is you won't unless they've drastically changed their build process in the past few years)

Comparing source to a binary can be a surprisingly non-trivial task.

Re:Wait, Vmware code stolen from China Military (0)

Anonymous Coward | about 2 years ago | (#39804181)

Yep, done that - it was easy

Re:Wait, Vmware code stolen from China Military (0)

Anonymous Coward | about 2 years ago | (#39804293)

Why the demand that it have the same checksum? There are going to be build strings in the binary (timestamp, build hostname, etc.) that will throw that off.

Firefox isn't overly tricky to build. There are source .rpm's and source .deb's out there - those make it REALLY easy because all of the dependencies are listed and can be easily resolved. Hardest would probably be the Windows build.

I don't really understand what you're whining about here.

Re:Wait, Vmware code stolen from China Military (1)

jaymemaurice (2024752) | about 2 years ago | (#39804437)

I think he was trying to allude to that auditing the source, but not using the binary that is built from that source, is a pretty stupid audit. Since you cannot build the source and get the exact same hash of the binary, you can't conclude the binary was derrived from the source. However, if you were the chinese military and so concerned, you may use the binary you built from the source... or more likely you wouldn't be using VMWare anyway because it's too complicated to control all variables and likely unneeded.

Re:Wait, Vmware code stolen from China Military (1)

RCL (891376) | about 2 years ago | (#39806863)

I can't say for China, but in Russia there are governmental institutions that work on "detecting superfluous functionality" in licensed software (foreign or otherwise). This doesn't include just building and comparing, a lot of other work needs to be done which is akin to unit-testing the code.

We don't spy on foreigners that way (1)

s.petry (762400) | about 2 years ago | (#39809243)

if (LANG ~= en_US){DEFINE USE_TSA_SPYCODES}else{/*Fuck it, we are TSA */RETURN=0};

Re:Wait, Vmware code stolen from China Military (1)

lipanitech (2620815) | about 2 years ago | (#39807003)

They are a major vendor in visualization I like there product I hope they don't fall victim like Symantec did not so long ago.

Re:Wait, Vmware code stolen from China Military (4, Informative)

wmbetts (1306001) | about 2 years ago | (#39801439)

It's very common with government contracts for the vendor to supply the source code for an audit. If the vendor won't supply the source code they don't get the contract, because other vendors will be happy do this. It even happens with a lot of DoD contracts. I'm sure it happens in other parts of the US Government as well.

Re:Wait, Vmware code stolen from China Military (-1)

Anonymous Coward | about 2 years ago | (#39801481)

I'm sorry but If I knew VMware was dealing with and supplying source code of of an ordinarily closed source product to the Chinese military I WOULD NOT PURCHASE THAT PRODUCT.

Nobody in their right mind should use something that PRC could see the source to, but they themselves could not.

Re:Wait, Vmware code stolen from China Military (2)

wmbetts (1306001) | about 2 years ago | (#39801507)

Assume the PRC has seen the source to any product they use, because they probably have even if the company openly denies it.

Re:Wait, Vmware code stolen from China Military (3, Insightful)

jkgamer (179833) | about 2 years ago | (#39802021)

I'm sorry but If I knew VMware was dealing with and supplying source code of of an ordinarily closed source product to the Chinese military I WOULD NOT PURCHASE THAT PRODUCT.

Nobody in their right mind should use something that PRC could see the source to, but they themselves could not.

What kind of xenophobic rant is that? What the hell is the Chinese military going to do to your Ubuntu distribution running in a virtual machine? I'll bet there is a lot of source code that they see that you aren't privy to. How many of those automotive computer systems are built in China/Taiwan? Plan to do a lot of horseback riding do you? I think its a far stretch to assume that just because they have seen the source code to something they are going to spend the time and manpower to turn it into some world domination thing. It would be more likely that they were given access to the source code to evaluate how secure it was.

Re:Wait, Vmware code stolen from China Military (1)

jaymemaurice (2024752) | about 2 years ago | (#39804493)

What the hell is the Chinese military going to do to your Ubuntu distribution running in a virtual machine?

Whatever the hell they want... bugs in the hypervisor could allow you access to the running memory or file system of the virtual machines... possibly from a less secure neighbouring virtual machine.

Sure, it's not the most likley thing to happen to your Ubuntu... but proof of concept bugs have been put together (and fixed I think) that allow one VM to get data from the processor cache of another VM (on certain CPUs). Encryption keys/passwords/etc may not be as safe in a VM as they are in a stand alone PC. Does the difference matter?? Should it matter, probably not.

Re:Wait, Vmware code stolen from China Military (0)

Anonymous Coward | about 2 years ago | (#39807205)

How many of those automotive computer systems are built in China/Taiwan? Plan to do a lot of horseback riding do you?

A) I'm pretty sure the automotive computer system in my 67 Chevelle wasn't built in Taiwan or China.

B) If an automotive computer system was built in Taiwan, the PLA doesn't have access to it (yet).

Re:Wait, Vmware code stolen from China Military (1)

Tastecicles (1153671) | about 2 years ago | (#39804261)

what, you mean like the source code for the NT kernel?

The Chinese have that, too.

Are you going to stop using Windows?

Re:Wait, Vmware code stolen from China Military (0, Troll)

DigiShaman (671371) | about 2 years ago | (#39801443)

What was the the Chinese military contractor doing with the VMWare source code anyway?

If I had to take a guess, most likely it was a case of corporate espionage. Many engineering folk are of Asian descent in the US. Specifically Chinese, Indian, and Korean nationalities. So sure, Chinese had political ties back home hoping to garner favors for extended family back home and themselves. Generally not done out of patriotism, but for self political gain. This shit happens all the freaking time!

Re:Wait, Vmware code stolen from China Military (2)

megabeck42 (45659) | about 2 years ago | (#39801479)

Have you read the email shown in the image from the first link(threatpost.com)? It's dated 2003 and it's describing how to optimize the thread local storage local descriptors introduced to linux around that time. If the source code is related to that, then it's likely irrelevant at this point. A lot has happened in the past 9 years.

Re:Wait, Vmware code stolen from China Military (1)

WindBourne (631190) | about 2 years ago | (#39803779)

Does it matter if it is current or not? What this shows, if true, is that China is busy cracking away at the west. Now, to be honest, most know it. However, you have ppl that run around and scream that the West does it, or that China does not mean anything bad by it, etc. etc. etc.

In the end, just because we see something nearly 10 years old, does not mean that they do not have newer stuff.

"proactively shared" (1)

nurb432 (527695) | about 2 years ago | (#39801531)

So means that the code is already available if you wanted it bad enough. *yawn*.

I can see reasons for it to be shared, like when companies want to tightly integrate their products and the published API's aren't at a low enough level to do it. Other companies do this too.

Problem is that today's friends are often tomorrows enemies. ( just look at the OS/2 debacle between IBM and Microsoft .. )

Re:Wait, Vmware code stolen from China Military (1)

sjames (1099) | about 2 years ago | (#39801681)

That is, they 'proactively shared' the source with the Chinese Military. The source was liberated from there and posted in public.

Re:Wait, Vmware code stolen from China Military (0)

Anonymous Coward | about 2 years ago | (#39801763)

Well that's what you get for being "pro"-active. They should have just shared it actively. What imbecile invented that word anyway and why does everybody have to use it when a simpler word that already existed would do?

Re:Wait, Vmware code stolen from China Military (3, Informative)

AK Marc (707885) | about 2 years ago | (#39801903)

Actively Shared:

They gave it when asked.

Proactively Shared:

They anticipated the request, and so shared before being asked.

Those are distinct and non-interchangeable meanings. There is no simpler word that has that exact meaning.

Re:Wait, Vmware code stolen from China Military (2)

sjames (1099) | about 2 years ago | (#39802369)

Proactive is a good word to indicate that action is taken in anticipation of a need rather than reactive to say action is taken in response to a need. Unfortunately, it is frequently abused to mean any sort of action but I want you to believe it was somehow virtuous (most often when it is nothing of the sort). I'm guessing they probably shared the code reactively.

Re:Wait, Vmware code stolen from China Military (0)

Anonymous Coward | about 2 years ago | (#39801703)

VMware shares source code via their Community Source [vmware.com] program. No idea if that's how the Chinese military got the code.

Re:Wait, Vmware code stolen from China Military (1)

bigstrat2003 (1058574) | about 2 years ago | (#39803069)

Sending out sensitive hyper-visor source code

How on earth is the source code for a hypervisor "sensitive"?

Re:Wait, Vmware code stolen from China Military (1)

KiloByte (825081) | about 2 years ago | (#39804457)

You mean, breaking out of a sandbox has no security-breaching uses?

Re:Wait, Vmware code stolen from China Military (1)

Anonymous Coward | about 2 years ago | (#39803489)

It's not stolen. It's copied. Vmware still has it.

Re:Wait, Vmware code stolen from China Military (1)

wshyang (2626503) | about 2 years ago | (#39805129)

It's not stolen. It's copied. Vmware still has it.

Yes VMWare still has it, except now a new company by the name of "erawmw.cn" is now happy to sell you a copy of their latest "class leading" virtualisation software for US$1.

Set it free!!!!! (0)

commo1 (709770) | about 2 years ago | (#39801367)

In all seriousness, this is a perfect example of why (most) source code should be open-source. Closed-source software depends on "you can't see inside this black box"/"security by obscurity" measures that are vulnerable because they cannot be made more secure by the community.

Re:Set it free!!!!! (0)

Anonymous Coward | about 2 years ago | (#39801447)

Can also go the other way, can be made more vulnerable by the community too.

Re:Set it free!!!!! (1)

Bert64 (520050) | about 2 years ago | (#39803719)

Making source available for everyone to view doesn't mean that you have to integrate any code changes that anyone else sends you.

I do feel quite insulted by the "only big customers see the source" model tho, source should be available to everyone on equal terms even if they release it under non open terms (eg you can build/view/modify internally, but not distribute it in any way).

Re:Set it free!!!!! (0)

Anonymous Coward | about 2 years ago | (#39806065)

Waaaah. You aren't paying them any money so why should they bother showing you anything?

Re:Set it free!!!!! (1)

tlhIngan (30335) | about 2 years ago | (#39808331)

Making source available for everyone to view doesn't mean that you have to integrate any code changes that anyone else sends you.

I do feel quite insulted by the "only big customers see the source" model tho, source should be available to everyone on equal terms even if they release it under non open terms (eg you can build/view/modify internally, but not distribute it in any way).

It's more of a risk thing. When you release the source to your crown jewel product, you're trusting the other side to abide by the terms of the license. If they're a big company, they'd want to because it's a lot easier to go after ONE big company that has money.

If they released it to all customers, then you're trusting that the person who asks for it will abide by the license. If it turns out to be some student who decided to share with his 1,000,000 "friends" over BitTorrent, you're possibly sunk - there's no way to recover any money from them and now it's spread.

That's the main reason. Plus if five of your customers have it and it leaks out, there's only 6 possible origins for the leak - you and the 5 companies. A lot easier than say, 100.

And yes, it extends to open-source as well - I'm sure there are tons of GPL violations out there, but it's so small scale and such that it goes unnoticed. The big open-source guys already respect the license, and the guys with money settle.

Re:Set it free!!!!! (1)

cavreader (1903280) | about 2 years ago | (#39801929)

There are some software applications that require a high degree of coordination and management to produce. Some types of software also require the cooperation of 3rd parties to ensure the system you are building will handle certain functionalities. You may even need to create a test bed to reproduce the security related issue. These types of things cost money. Why should anyone be expected to automatically open source their code before they have a chance to at least recoup the expenses incurred in the development process? And the "many eyes" security approach is laughable and naive in the extreme. How many developers actually posses the skills needed to analyze a complex application code base and spot security problems just by stepping through the code? I have seen a lot of bug fixes and new functionality in open sourced projects but I have not seen any conclusive examples of someone addressing a security related issue. I am sure there might actually be some instances of this happening but placing your faith on the "many eyes" approach is just bad advertising.

Re:Set it free!!!!! (1)

Bert64 (520050) | about 2 years ago | (#39803749)

Just because sourcecode is open, doesn't mean you can't make money from it. RedHat release most of their code and yet they are highly profitable.

There are plenty of people who are able to find security problems, even in binary applications... If you keep the source closed, then there is a high likelihood of it getting leaked anyway, and then you have a situation where the blackhats have an advantage over the whitehats who wouldnt want to associate themselves with leaked code.

Re:Set it free!!!!! (1)

b4dc0d3r (1268512) | about 2 years ago | (#39802843)

On the other side of the coin, it's a lot easier to make money when your customers can't just download and compile your code.

Situations like this actually are a pretty good balance between keeping the source closed, but allowing customers to verify that it doesn't have any secret back doors or obvious security flaws. Many companies do this, and foreign governments and companies seem okay with the arrangement.

Re:Set it free!!!!! (1)

Bert64 (520050) | about 2 years ago | (#39803861)

You can easily release the code under terms that prohibit use of the code without paying the appropriate fees.

It's also equally possible to just download and run the binaries without paying, this is generally called "piracy" or "warez".

The "balance" you talk of, is actually a pretty horrible imbalance, it provides an unfair advantage to larger companies and blackhats, while unfairly discriminating against smaller companies and independent whitehat researchers.

The BSDi approach was actually a much better one, as a paying customer (even a very small one) you got the sourcecode as part of the deal and could modify it to suit your needs internally, but you weren't allowed to redistribute it (or any modifications you made) to third parties.

Releasing your source under such terms doesn't make you worse off, but does make things better for many of the customers and may even bring in new customers. Also although the customers are not allowed to distribute their changes to third parties, there is nothing stopping them contributing bugfixes etc back to the original supplier, so you might actually get some free development out of your users.

Speaking of which, something i utterly detest is software with onerous license enforcement code, that is code which tries to verify that you are in compliance with the license terms and then inhibits functionality (ie causes a denial of service) if it believes you are not. Such software provides NO benefit to the customer, but it does bring a significantly increased risk - there have been many cases of license enforcement code incorrectly triggering and causing all kinds of unnecessary problems for paying customers (i believe vmware had such a problem a couple of years ago for instance).
Non paying customers, eg pirates, run cracked versions where this code is removed and thus generally have a more stable product.

I think such functions should simply not exist, they are entirely detrimental to paying customers. By all means implement a feature which verifies license compliance and displays or logs a warning if a problem is detected, that is actually useful to help companies ensure they are in compliance, but under no circumstances should the software take intentional acts to disrupt the users.

Re:Set it free!!!!! (1)

jaymemaurice (2024752) | about 2 years ago | (#39804605)

Passwords/public key encryption etc. are all "security by obscurity" as well... sure open source software allows the community to see exploitable bugs, but it doesn't mean the community will notice or fix them. You can, however, be sure at least one community member will be able to remove any license checks and one will release an exploit - that wouldn't have been able to had they not seen the source.

The only valid argument you can use to counter this is that anyone who has the means and motive will get access to the source anyway... but thats pretty weak.

Deffence in depth. VMWare has a large team of staff who review code changes and do regression tests against the software... the community is probably of little value now and having closed source adds another layer.

Re:Set it free!!!!! (1)

psmears (629712) | about 2 years ago | (#39806069)

Passwords/public key encryption etc. are all "security by obscurity" as well...

No they're not. Sure, you have to keep them secret, but the key thing is that the security of the whole system doesn't pivotally depend on just your password: if you suspect your password has been compromised, you can very quickly and easily change it, and the system is then no less secure than it was before (give or take any damage done while your password was known). On the other hand, if security depends on your source code not being available (because it does uber-secret stuff), and it then gets leaked, there's nothing you can do to put the genie back in the box, short of rewriting your entire software...

Re:Set it free!!!!! (1)

jaymemaurice (2024752) | about 2 years ago | (#39807985)

Sure, passwords/keys can be changed - but I don't suspect many companies that release closed source software (that they release/make available to partners) are too concerned about their security being completely compromised to the point of needing to rewrite everything due to a source code leak. After all, source code can be patched and re-built... just like passwords and keys changed... and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security related bugs weather the software is open or closed source. There is lots of out of dat open source software with major holes floating around in the wild...

Re:Set it free!!!!! (1)

psmears (629712) | about 2 years ago | (#39809183)

After all, source code can be patched and re-built... just like passwords and keys changed...

It can... but the difference is that, once I know my password is compromised, changing my password takes seconds—whereas analysing a code problem, coding a fix, testing it, distributing it to customers and having them deploy it can take months or even years.

and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security related bugs weather the software is open or closed source. There is lots of out of dat open source software with major holes floating around in the wild...

I'm not really sure what you're saying. Sure, open and closed source software may both have security bugs - which may or may not get fixed. But this doesn't change the fact that there is a significant difference between security by obscurity and using passwords/keys.

How it probably went down... (1, Insightful)

Anonymous Coward | about 2 years ago | (#39801469)

"Hey, Chien, it costs waaaaay too much for these VMWare licenses. it's too bad we can't build our own."

"Well, they did give us the source code. But they'd get mad at us."

"Not if we tell them it was stolen."

Ahh here comes the cloud hack! (1, Informative)

NetNinja (469346) | about 2 years ago | (#39801607)

I am waiting for my " I told you so!" moment.

Chinese contractors, Non Us Citizen contractors. Yes yes the cheapest bidders! As long as everyone is making thier 10% on thier stocks everyone is happy right?

Re:Ahh here comes the cloud hack! (1)

zlives (2009072) | about 2 years ago | (#39802785)

and wher would you direct the hate if it was US hackers that leaked the code... because they never do that :)

Shouldn't matter in theory (4, Informative)

Junta (36770) | about 2 years ago | (#39801857)

No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.

While they have probably had viable reason to keep it closed (ESXi did enjoy a pretty secure technical advantage), it's probably approaching time for them to open source the hypervisor since there is now pretty viable competition from KVM and Xen nowadays. They currently are trying to hold their core technology capabilities hostage to force upsell into their management stack (e.g. the many features that are disabled except through vCenter that aren't really inherently requiring vCenter), but that strategy doesn't work when the prospective customers can jump ship pretty easily to less restrictive technologies.

Re:Shouldn't matter in theory (1)

Anonymous Coward | about 2 years ago | (#39802229)

ESXi did enjoy a pretty secure technical advantage

Yeah, right.

With ESX there was a perfectly functional firewall based on iptables. When ESXi came out, VMware removed the firewall, then had the gall to claim it's MORE secure because it's based on busybox instead of ESX being based on redhat.

Some time later, VMware realized they were idiots and put the firewall back in ESXi 5.

Re:Shouldn't matter in theory (1)

DeSigna (522207) | about 2 years ago | (#39803059)

What benefit would VMware gain from open sourcing the hypervisor?

Feature wise they're well ahead of the pack, especially when you add in the full vSphere environment. If they did open source it, they would just be donating all those nifty features to the OSS hypervisors. There's already ample competition to keep them on their toes.

Xen and KVM don't really play in the same space as VMware, they seem to be pointed more at high end environments, like VPS hosting or "clouds", where licensing costs hit hard, you've got a large staff and there is ample scope for automation and customisation. VMware aims for simple, scalable and easy to manage.

Re:Shouldn't matter in theory (1)

x3CDA84B (2592699) | about 2 years ago | (#39803627)

No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.

Meanwhile, in the real world, every piece of software has flaws, and now VMWare's are likely to be discovered very quickly.

Re:Shouldn't matter in theory (1)

Bert64 (520050) | about 2 years ago | (#39803875)

Only because the source code is leaked rather than open, white hat researchers won't touch it for reasons of legal liability... Thus, only black hats will be reading the source code looking for vulnerabilities, and then using those vulnerabilities for nefarious means rather than seeking to have them fixed.

Meanwhile, most of vmware's competitors have been open from the start so the low hanging fruit will have already been taken.

Re:Shouldn't matter in theory (1)

drsmithy (35869) | about 2 years ago | (#39805775)

Thus, only black hats will be reading the source code looking for vulnerabilities [...]

Right. Because VMware would never audit their own code.

Which theory? (1)

bill_mcgonigle (4333) | about 2 years ago | (#39803673)

No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability.

When you say, "in theory" you need to include psychology and sociology, not just computer science.

There's a reason people clean up code before they release it as open source.

there is now pretty viable competition from KVM and Xen nowadays

The difference is that Xen has been looked at by the good guys and the bad guys for years. Like it or not ESX is now open source (non-OSI definition), but only for the bad guys.

No need source (2, Funny)

jedwidz (1399015) | about 2 years ago | (#39802195)

If you're serious you don't need source code anyway. Once you have the executable object code (as a paying customer or whatever), you can reverse engineer source code easily enough.

The original source code just makes it easier to understand how the object code works. And if the original source is sparsely commented, or the object code includes debugging info, the benefits are less.

Source code is most useful for situations where you don't have access to the object code, such as hosted services, embedded systems, etc.

Re:No need source (0)

Anonymous Coward | about 2 years ago | (#39802431)

Good luck with Skype.

Re:No need source (4, Insightful)

ledow (319597) | about 2 years ago | (#39804137)

That's certainly true, if you think that a reverse-engineer's time is free.

There have been successful reverse-engineering projects, of course, but nowadays it's pretty much out of most people's realm unless there's EXTREME interest in doing so. By the same token, you could say that you could "just" reverse-engineer Windows and it's as simple as that. Not quite. You could "just" reverse-engineer Steam, too, but that's not really been done either.

Modern software projects are HUGE compared to even 10 years ago. A 50Mb executable barely raises eyebrows anymore, and that's not even getting all the associated libraries and DLL's. Of course it's possible, but it's far from viable unless you have some extreme impetus to do so and are willing to spend years.

It took something like 5 years to "reverse engineer" Transport Tycoon (the OpenTTD project is from a reverse-engineering of the original DOS executables by ludde, I believe, the same guy who started ScummVM by reverse-engineering the SCUMM-engine games) - and that used lots of modern tools on a tiny, ancient DOS executable for a game that used well-known standard languages of the time and still took years to do. To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).

Now think about any decent size modern software project and the chances are that it would take either a VERY dedicated team years, or a particular individual decades to get close to reverse-engineering it (in which time, they could quite literally just write an equivalent themselves anyway). VMWare is hardly a simple piece of software, probably one of the most complicated you can make, what with having to have intimate and perfect knowledge of the machine you're on and the one you're emulating and dealing with all the middle-layers in-between to ensure it works. You probably couldn't reverse-engineer it (certainly not "clean-room" standard) for less than the time/price it would cost to just build your own.

There was a time when you could just throw an executable through simple utilities to get equivalent C source and then work from there to add detail so that you end up with C source that compiles back to the original (or equivalent) and that can be understood by your average programmer. You still can, in fact. But it's not an Sunday afternoon job. And now it's orders-of-magnitude more complex than it used to be back in the hey-day of reverse-engineering executables.

The chances of any modern program being manually reverse-engineered (honestly - this isn't something that can be done automatically and the results understood enough to actually do anything useful with) are slim just because of the sheer extent of the effort involved and the complexity of modern software. You know how people complain that a Hello World is now a 1Mb executable? Multiply that up by something like VMWare's complexity.

And above all that, reverse-engineering is one of THE most difficult things to do on a piece of software. The majority of programmers would never be able to do it. Why do you think there's no "free" program that can connect to Skype (which we have DOZENS of executables for and not one open-source reimplementation), or why Pidgin can't do video over most of the protocols it supports (that DO support video in the official client), or why ReactOS just barely runs and Wine has taken years to get to the point where it can only just run most things after HUGE investment of time and money from thousands of programmers when all it needed to "know" was the public API that everyone was programming against anyway, not even how Windows implements it?

It's technically correct. I wouldn't rely on a program to hold some "secret" way of connecting to somewhere. But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.

Re:No need source (1)

alphatel (1450715) | about 2 years ago | (#39805041)

But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.

I have intuited that you have posted that reverse-engineering is difficult.

  • Software is complicated
  • Companies have better things to do
  • It's easier to write your own

I have reverse-engineered your post. Took less time than having my own opinion!

Re:No need source (1)

CowTipperGore (1081903) | about 2 years ago | (#39806321)

To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).

Just a minor point - the GOG version of MOO prompts for the ship just like the retail game did, but it doesn't care which one you choose. They did work around it somehow.

Re:No need source (1)

ledow (319597) | about 2 years ago | (#39806511)

I was informed previously that MOO's copy protection isn't a "get it wrong and get thrown out".

What happens is that the game gets stupidly, impossibly hard if you fail the copy protection checks but it takes a long time to see the actual effect.

Re:No need source (1)

CowTipperGore (1081903) | about 2 years ago | (#39806539)

No, that's incorrect. It would end your game and delete the saved game associated with it. You absolutely knew immediately if you had failed the copy protection check.

Unbelievably naive top management (1, Insightful)

gestalt_n_pepper (991155) | about 2 years ago | (#39802503)

If you're dumb enough to give your source, or any other monetizable data to the Chinese, Indians, Pakistanis, etc. don't be surprised to find it suddenly (ahem) "stolen."

VMWare has nobody but it's naive, insular, overly trusting top management to blame. They have no effective legal recourse. What did they think would prevent this, a gentleman's' agreement?

Re:Unbelievably naive top management (0)

Anonymous Coward | about 2 years ago | (#39802807)

So Indians Chinese and pakis are all same? Wowww I guess you are half monkey and half American

Re:Unbelievably naive top management (0)

Anonymous Coward | about 2 years ago | (#39805001)

All the same? Hardly. But when dealing with the Asian companies, they've seemed much more likely to walk off with trade secrets and source code. They've also been much more engaged in bribery as a normal way of doing business: it's very confusing to Americans who tend to be very, very clumsy at bribery but fabulous at swapping insider secrets for stock manipulation.

Re:Unbelievably naive top management (0)

Anonymous Coward | about 2 years ago | (#39804299)

If you're dumb enough to give your source, or any other monetizable data to the Chinese, Indians, Pakistanis, etc. don't be surprised to find it suddenly (ahem) "stolen."

I'd find it hard to believe if it wasn't for the fact that my employer is starting to go down the same route. Give those nations our source code, secure it against misuse with an NDA/licensing agreement (hahahha), then sit back and watch the money roll in. What could possibly go wrong!

I think this must mark the point VMWare jumped the shark. It seems they have gone from a tech company to being a "business" (if you know what I mean) run by PHBs. Oh well, it was nice knowing you VMWare.

...and nothing of value was lost (1)

IGnatius T Foobar (4328) | about 2 years ago | (#39802749)

Well yes, VMware is still the market leader, but what would anyone do with this source code anyway? It's not as if VMware has anything left to teach the rest of the world about virtualization. The rest of the world has pretty much caught up and virtualization is a commodity now.

Re:...and nothing of value was lost (0)

Anonymous Coward | about 2 years ago | (#39804779)

Well yes, VMware is still the market leader, but what would anyone do with this source code anyway?

Pull your head out of your ass.

Re:...and nothing of value was lost (0)

Anonymous Coward | about 2 years ago | (#39804865)

I would like btrfs / softraid support in ESXi

If I could hack it in reasonably with the source code I probably would.

Re:...and nothing of value was lost (1)

swb (14022) | about 2 years ago | (#39807029)

Did they have anything to teach the rest of the world about virtualization to begin with? I know I've ready plenty of posts here on how IBM was doing this with VM/CMS decades ago, complete with many of the facilities we associate with VMware.

What VMware got good at was making x86 virtualization work, given the x86 platforms inherent limitations and lack of native virtualization abilities (IIRC, ESX was released long before Intel added VT, to whatever degree that helps).

I this point, I think you're largely right in terms of the hypervisor itself, but IMHO what they still seem to have the lead on is the next logical step in virtualization, which is management of many hypervisors (and hence VMs).

Carefulyl guarded secrets (0)

Anonymous Coward | about 2 years ago | (#39804115)

This is going to have impact on virtualisation / emulation crowd. If the code for that was leaked, it means at least a decade of tricks and optimisations in emulation (which is quite hard to do to be performant) was just made available to lurkers.

It still amazes me... (1)

Tastecicles (1153671) | about 2 years ago | (#39804249)

...how any company thinks placing industrial secrets on a World-facing node can in any way be described as a smart decision?

Or was it done deliberately?

Re:It still amazes me... (0)

Anonymous Coward | about 2 years ago | (#39804835)

Where did you get this info?

Since it's a trade secret, what's the problem? (0)

Anonymous Coward | about 2 years ago | (#39804501)

A trade secret loses protection when released. Therefore why on earth is this a problem for anyone other than the keeper of the Secret?

Why steal an inferior product source? (0)

Anonymous Coward | about 2 years ago | (#39805265)

.. when the most performant solution is free.

KVM is far faster then VMware's solution and far less resource intensive and can host Windows, Linux (and OSX with a little patching currently) guests.

Oh yeah Threatpost Propaganda (0)

Anonymous Coward | about 2 years ago | (#39806333)

Cutting through all the ego, bullshit and lies...

FUCK THREATPOST. and KASPERSKY THE FUCKIN NAZIS PROPAGANDA FEAR FACTORY.

use
http://www.h-online.com/
instead

And slashdot, STOP doin this shit. We get it you love DARPA and big brother.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...