VMware Confirms Source Code Leak 109
Gunkerty Jeb writes "Purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to 'Hardcore Charlie,' an anonymous hacker who has claimed responsibility for the hacks. In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident."
Nationality of hackers? (Score:4, Interesting)
Re: (Score:1)
You can't really identify who's the culprit if the code is already leaked on the internets...anyone can just take the code and build from there, even if they were never involved in the hacking/leaking that took place.
Reason of hacking ? (Score:2)
I am quoting tfa from arstechnica:
the hacker Hardcore Charlie told Reuters earlier this month that he hacked into CEIEC seeking information on the US military campaign in Afghanistan
Apparently that hacker hacked into CEIEC - a Chinese military contractor, - looking for information on US military campaign in Afghanistan
It's like hacking into the system owned by Palestinians looking for information regarding Israelis military campaign
Makes a lot of sense, doesn't it?
Re:Reason of hacking ? (Score:4, Insightful)
Not really. China has a lot of intel presence in the region, and unlike US it will likely be less secure because it's not intel about THEIR OWN important operations.
So it makes a lot of sense to go after China's data on US Afghan operations.
Re: (Score:2)
It doesn't really matter. China will gladly allow their country to profit from this theft while America will continue to bend over and take an ass-fucking by paying good money to them for chintz.
Not Just VMWare (Score:1)
Other VMs had source leaks, too.
Xen [xen.org] had a source leak.
Virtualbox [virtualbox.org] had a source leak.
Even KVM [linux-kvm.org] had a source leak.
These VM people better get their act together!
Re: (Score:2)
It sure smells like the same group that hacked Google, using laptops running Windows inside the corporate network as the attack vector. Google's solution was to ban Windows on laptops inside the corporate network (which now requires authorization from a VP) and VMware should do that too.
Wait, Vmware code stolen from China Military (Score:5, Interesting)
Talk about burying the lead!
This VMware source code reportedly was stolen from Chinese military contractor CEIEC, the China National Electronics Import-Export Corporation. VMware code wasn't the only target.
What was the the Chinese military contractor doing with the VMWare source code anyway? And what other software packages were affected?
Hackers hack, that's what they do. But Chinese military contractors with VMWare source code in hand seems a much bigger story if you ask me. Did they have a license to it? Can anyone get a license to it? And if so, why is this a big deal?
Vmware says:
VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.
They can't have it both ways, stating in the same memo that the code was stolen and also "proactively shared". What the heck does proactively shared mean any way? Sending out sensitive hyper-visor source code to foreign military contractors seems at best, ill advised, but then to turn around and act all surprised and defensive when someone steals it from them seems a bit of a stretch.
Re: (Score:2)
Anyways, it looks like VMWare is going open source soon!
Re:Wait, Vmware code stolen from China Military (Score:5, Informative)
Who modded this informative?
VMware has mostly proprietary products. What little open source they have is there only because they are forced to by their use of Linux in ESX.
All of their core products are completely closed source, and released as binary only.
They are about as open source as Microsoft.
Re:Wait, Vmware code stolen from China Military (Score:5, Informative)
Close enough to be accurate, but they do have some incidental open source content that isn't related at all to Linux kernel or userland. For example, their multiboot boot loader is open source and multiboot module boot has zero applicability to a linux system. But still none of the 'meat' of their products is open source, just things like administrative utilities and boot loader and other necessary fluff that provides no value for vmware..
Re: (Score:2)
I can't speak of the totatlity of VMware software being open source or not.
However, the Linux 2D/3D driver is open source http://cgit.freedesktop.org/xorg/driver/xf86-video-vmware [freedesktop.org]
It is also available in the recent Linux kernel releases.
Re: (Score:2)
Re: (Score:2)
All of their core products are completely closed source, and released as binary only.
ESX is now open source, but only for the bad guys.
*non-OSI definition
Re: (Score:1)
> Who modded this informative?
Indeed!
> All of their core products are completely closed source
To peons like you and I: yes.
> They are about as open source as Microsoft.
Funny. You must be new around here. The bigs will share their secret sauce with clients---if they are BIG enough. MS has shared Windows code with China---going back years, check the /. archives---e.g., to ease Chinese fears there are no back doors for the USA to spy on them. Ironical, I know. *G*
Re: (Score:2)
Re: (Score:2)
The code can be used to censer people.
Care to explain how that one works? It's a hypervisor.
Re: (Score:3)
Perhaps if it runs a virtual machine simulating an environment in which the incense might be lit?
Re:Wait, Vmware code stolen from China Military (Score:5, Informative)
VMWare routinely shares its source code with major customers, particularly those that need it to add support for new hardware. There's no reason to believe that there aren't companies in China who need it for those purposes too.
Re: (Score:2)
Re: (Score:2)
So sharing source code proves this how? Couldn't they just include the spying mechanism before they create the binary that actually ships?
Re: (Score:2)
If you have the source, it's not very hard to create your own binaries
Re: (Score:1)
I think he was trying to allude to that auditing the source, but not using the binary that is built from that source, is a pretty stupid audit. Since you cannot build the source and get the exact same hash of the binary, you can't conclude the binary was derrived from the source. However, if you were the chinese military and so concerned, you may use the binary you built from the source... or more likely you wouldn't be using VMWare anyway because it's too complicated to control all variables and likely unn
Re: (Score:2)
We don't spy on foreigners that way (Score:2)
if (LANG ~= en_US){DEFINE USE_TSA_SPYCODES}else{/*Fuck it, we are TSA */RETURN=0};
Re: (Score:1)
Re:Wait, Vmware code stolen from China Military (Score:5, Informative)
It's very common with government contracts for the vendor to supply the source code for an audit. If the vendor won't supply the source code they don't get the contract, because other vendors will be happy do this. It even happens with a lot of DoD contracts. I'm sure it happens in other parts of the US Government as well.
Re: (Score:3)
Assume the PRC has seen the source to any product they use, because they probably have even if the company openly denies it.
Re: (Score:3, Insightful)
I'm sorry but If I knew VMware was dealing with and supplying source code of of an ordinarily closed source product to the Chinese military I WOULD NOT PURCHASE THAT PRODUCT.
Nobody in their right mind should use something that PRC could see the source to, but they themselves could not.
What kind of xenophobic rant is that? What the hell is the Chinese military going to do to your Ubuntu distribution running in a virtual machine? I'll bet there is a lot of source code that they see that you aren't privy to. How many of those automotive computer systems are built in China/Taiwan? Plan to do a lot of horseback riding do you? I think its a far stretch to assume that just because they have seen the source code to something they are going to spend the time and manpower to turn it into some
Re: (Score:1)
What the hell is the Chinese military going to do to your Ubuntu distribution running in a virtual machine?
Whatever the hell they want... bugs in the hypervisor could allow you access to the running memory or file system of the virtual machines... possibly from a less secure neighbouring virtual machine.
Sure, it's not the most likley thing to happen to your Ubuntu... but proof of concept bugs have been put together (and fixed I think) that allow one VM to get data from the processor cache of another VM (on certain CPUs). Encryption keys/passwords/etc may not be as safe in a VM as they are in a stand alone PC. Do
Re: (Score:2)
what, you mean like the source code for the NT kernel?
The Chinese have that, too.
Are you going to stop using Windows?
Re: (Score:3)
Have you read the email shown in the image from the first link(threatpost.com)? It's dated 2003 and it's describing how to optimize the thread local storage local descriptors introduced to linux around that time. If the source code is related to that, then it's likely irrelevant at this point. A lot has happened in the past 9 years.
Re: (Score:2)
In the end, just because we see something nearly 10 years old, does not mean that they do not have newer stuff.
"proactively shared" (Score:2)
So means that the code is already available if you wanted it bad enough. *yawn*.
I can see reasons for it to be shared, like when companies want to tightly integrate their products and the published API's aren't at a low enough level to do it. Other companies do this too.
Problem is that today's friends are often tomorrows enemies. ( just look at the OS/2 debacle between IBM and Microsoft .. )
Re: (Score:2)
That is, they 'proactively shared' the source with the Chinese Military. The source was liberated from there and posted in public.
Re:Wait, Vmware code stolen from China Military (Score:4, Informative)
They gave it when asked.
Proactively Shared:
They anticipated the request, and so shared before being asked.
Those are distinct and non-interchangeable meanings. There is no simpler word that has that exact meaning.
Re: (Score:3)
Proactive is a good word to indicate that action is taken in anticipation of a need rather than reactive to say action is taken in response to a need. Unfortunately, it is frequently abused to mean any sort of action but I want you to believe it was somehow virtuous (most often when it is nothing of the sort). I'm guessing they probably shared the code reactively.
Re: (Score:2)
Sending out sensitive hyper-visor source code
How on earth is the source code for a hypervisor "sensitive"?
Re: (Score:2)
You mean, breaking out of a sandbox has no security-breaching uses?
Re: (Score:1)
It's not stolen. It's copied. Vmware still has it.
Re: (Score:1)
It's not stolen. It's copied. Vmware still has it.
Yes VMWare still has it, except now a new company by the name of "erawmw.cn" is now happy to sell you a copy of their latest "class leading" virtualisation software for US$1.
Re: (Score:2)
Funny how both of you miss-capitalized the name, it is VMware.
Set it free!!!!! (Score:1)
In all seriousness, this is a perfect example of why (most) source code should be open-source. Closed-source software depends on "you can't see inside this black box"/"security by obscurity" measures that are vulnerable because they cannot be made more secure by the community.
Re: (Score:2)
Making source available for everyone to view doesn't mean that you have to integrate any code changes that anyone else sends you.
I do feel quite insulted by the "only big customers see the source" model tho, source should be available to everyone on equal terms even if they release it under non open terms (eg you can build/view/modify internally, but not distribute it in any way).
Re: (Score:2)
It's more of a risk thing. When you release the source to your crown jewel product, you're trusting the other side to abide by th
Re: (Score:2)
You mean like trusting your customers to abide by the terms under which you distribute binaries to them?
Having the source spread is no worse than having the binaries spread. In either case pirates will redistribute it, and there are still customers who will pay. Most corporate customers for instance will not even consider using a pirate copy, and will buy your original no matter how widespread copies are on torrent sites.
Also most pirates won't care about the source, and will just continue pirating the bina
Re: (Score:2)
"more likely" != "always", there are always exceptions.
And the fact that you pirate software for which you don't have the source just goes to show that releasing sourcecode isn't going to have any impact on piracy.
Re: (Score:2)
Never said it should be available for free, just that it should be available on equal terms for everyone. I would advocate that all paying customers receive (or have the right to receive) sourcecode, even if under non-open terms (ie no redistribution etc).
Re: (Score:2)
There are some software applications that require a high degree of coordination and management to produce. Some types of software also require the cooperation of 3rd parties to ensure the system you are building will handle certain functionalities. You may even need to create a test bed to reproduce the security related issue. These types of things cost money. Why should anyone be expected to automatically open source their code before they have a chance to at least recoup the expenses incurred in the devel
Re: (Score:2)
Just because sourcecode is open, doesn't mean you can't make money from it. RedHat release most of their code and yet they are highly profitable.
There are plenty of people who are able to find security problems, even in binary applications... If you keep the source closed, then there is a high likelihood of it getting leaked anyway, and then you have a situation where the blackhats have an advantage over the whitehats who wouldnt want to associate themselves with leaked code.
Re: (Score:2)
I never said you cannot make money on open source software but this applies only to people or companies whose business model is centered around providing support and bug fixes. Redhat adopted a business model based on charging for support but that option is not universal. The original post on this thread intimated that all source code should be automatically open sourced from the first release.
Re: (Score:2)
On the other side of the coin, it's a lot easier to make money when your customers can't just download and compile your code.
Situations like this actually are a pretty good balance between keeping the source closed, but allowing customers to verify that it doesn't have any secret back doors or obvious security flaws. Many companies do this, and foreign governments and companies seem okay with the arrangement.
Re: (Score:2)
You can easily release the code under terms that prohibit use of the code without paying the appropriate fees.
It's also equally possible to just download and run the binaries without paying, this is generally called "piracy" or "warez".
The "balance" you talk of, is actually a pretty horrible imbalance, it provides an unfair advantage to larger companies and blackhats, while unfairly discriminating against smaller companies and independent whitehat researchers.
The BSDi approach was actually a much better one
Re: (Score:1)
Passwords/public key encryption etc. are all "security by obscurity" as well... sure open source software allows the community to see exploitable bugs, but it doesn't mean the community will notice or fix them. You can, however, be sure at least one community member will be able to remove any license checks and one will release an exploit - that wouldn't have been able to had they not seen the source.
The only valid argument you can use to counter this is that anyone who has the means and motive will get acc
Re: (Score:2)
Passwords/public key encryption etc. are all "security by obscurity" as well...
No they're not. Sure, you have to keep them secret, but the key thing is that the security of the whole system doesn't pivotally depend on just your password: if you suspect your password has been compromised, you can very quickly and easily change it, and the system is then no less secure than it was before (give or take any damage done while your password was known). On the other hand, if security depends on your source code not being available (because it does uber-secret stuff), and it then gets leaked,
Re: (Score:1)
Sure, passwords/keys can be changed - but I don't suspect many companies that release closed source software (that they release/make available to partners) are too concerned about their security being completely compromised to the point of needing to rewrite everything due to a source code leak. After all, source code can be patched and re-built... just like passwords and keys changed... and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security
Re: (Score:2)
After all, source code can be patched and re-built... just like passwords and keys changed...
It can... but the difference is that, once I know my password is compromised, changing my password takes seconds—whereas analysing a code problem, coding a fix, testing it, distributing it to customers and having them deploy it can take months or even years.
and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security related bugs weather the software is open or closed source. There is lots of out of dat open source software with major holes floating around in the wild...
I'm not really sure what you're saying. Sure, open and closed source software may both have security bugs - which may or may not get fixed. But this doesn't change the fact that there is a significant difference between security by obscurity and us
How it probably went down... (Score:1, Insightful)
"Hey, Chien, it costs waaaaay too much for these VMWare licenses. it's too bad we can't build our own."
"Well, they did give us the source code. But they'd get mad at us."
"Not if we tell them it was stolen."
Ahh here comes the cloud hack! (Score:1, Informative)
I am waiting for my " I told you so!" moment.
Chinese contractors, Non Us Citizen contractors. Yes yes the cheapest bidders! As long as everyone is making thier 10% on thier stocks everyone is happy right?
Re: (Score:2)
and wher would you direct the hate if it was US hackers that leaked the code... because they never do that :)
Shouldn't matter in theory (Score:5, Informative)
No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.
While they have probably had viable reason to keep it closed (ESXi did enjoy a pretty secure technical advantage), it's probably approaching time for them to open source the hypervisor since there is now pretty viable competition from KVM and Xen nowadays. They currently are trying to hold their core technology capabilities hostage to force upsell into their management stack (e.g. the many features that are disabled except through vCenter that aren't really inherently requiring vCenter), but that strategy doesn't work when the prospective customers can jump ship pretty easily to less restrictive technologies.
Re: (Score:1)
ESXi did enjoy a pretty secure technical advantage
Yeah, right.
With ESX there was a perfectly functional firewall based on iptables. When ESXi came out, VMware removed the firewall, then had the gall to claim it's MORE secure because it's based on busybox instead of ESX being based on redhat.
Some time later, VMware realized they were idiots and put the firewall back in ESXi 5.
Re: (Score:1)
What benefit would VMware gain from open sourcing the hypervisor?
Feature wise they're well ahead of the pack, especially when you add in the full vSphere environment. If they did open source it, they would just be donating all those nifty features to the OSS hypervisors. There's already ample competition to keep them on their toes.
Xen and KVM don't really play in the same space as VMware, they seem to be pointed more at high end environments, like VPS hosting or "clouds", where licensing costs hit hard, you
Re: (Score:1)
No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.
Meanwhile, in the real world, every piece of software has flaws, and now VMWare's are likely to be discovered very quickly.
Re: (Score:2)
Only because the source code is leaked rather than open, white hat researchers won't touch it for reasons of legal liability... Thus, only black hats will be reading the source code looking for vulnerabilities, and then using those vulnerabilities for nefarious means rather than seeking to have them fixed.
Meanwhile, most of vmware's competitors have been open from the start so the low hanging fruit will have already been taken.
Re: (Score:2)
Right. Because VMware would never audit their own code.
Which theory? (Score:2)
No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability.
When you say, "in theory" you need to include psychology and sociology, not just computer science.
There's a reason people clean up code before they release it as open source.
there is now pretty viable competition from KVM and Xen nowadays
The difference is that Xen has been looked at by the good guys and the bad guys for years. Like it or not ESX is now open source (non-OSI definition),
No need source (Score:3, Funny)
If you're serious you don't need source code anyway. Once you have the executable object code (as a paying customer or whatever), you can reverse engineer source code easily enough.
The original source code just makes it easier to understand how the object code works. And if the original source is sparsely commented, or the object code includes debugging info, the benefits are less.
Source code is most useful for situations where you don't have access to the object code, such as hosted services, embedded systems, etc.
Re:No need source (Score:5, Insightful)
That's certainly true, if you think that a reverse-engineer's time is free.
There have been successful reverse-engineering projects, of course, but nowadays it's pretty much out of most people's realm unless there's EXTREME interest in doing so. By the same token, you could say that you could "just" reverse-engineer Windows and it's as simple as that. Not quite. You could "just" reverse-engineer Steam, too, but that's not really been done either.
Modern software projects are HUGE compared to even 10 years ago. A 50Mb executable barely raises eyebrows anymore, and that's not even getting all the associated libraries and DLL's. Of course it's possible, but it's far from viable unless you have some extreme impetus to do so and are willing to spend years.
It took something like 5 years to "reverse engineer" Transport Tycoon (the OpenTTD project is from a reverse-engineering of the original DOS executables by ludde, I believe, the same guy who started ScummVM by reverse-engineering the SCUMM-engine games) - and that used lots of modern tools on a tiny, ancient DOS executable for a game that used well-known standard languages of the time and still took years to do. To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).
Now think about any decent size modern software project and the chances are that it would take either a VERY dedicated team years, or a particular individual decades to get close to reverse-engineering it (in which time, they could quite literally just write an equivalent themselves anyway). VMWare is hardly a simple piece of software, probably one of the most complicated you can make, what with having to have intimate and perfect knowledge of the machine you're on and the one you're emulating and dealing with all the middle-layers in-between to ensure it works. You probably couldn't reverse-engineer it (certainly not "clean-room" standard) for less than the time/price it would cost to just build your own.
There was a time when you could just throw an executable through simple utilities to get equivalent C source and then work from there to add detail so that you end up with C source that compiles back to the original (or equivalent) and that can be understood by your average programmer. You still can, in fact. But it's not an Sunday afternoon job. And now it's orders-of-magnitude more complex than it used to be back in the hey-day of reverse-engineering executables.
The chances of any modern program being manually reverse-engineered (honestly - this isn't something that can be done automatically and the results understood enough to actually do anything useful with) are slim just because of the sheer extent of the effort involved and the complexity of modern software. You know how people complain that a Hello World is now a 1Mb executable? Multiply that up by something like VMWare's complexity.
And above all that, reverse-engineering is one of THE most difficult things to do on a piece of software. The majority of programmers would never be able to do it. Why do you think there's no "free" program that can connect to Skype (which we have DOZENS of executables for and not one open-source reimplementation), or why Pidgin can't do video over most of the protocols it supports (that DO support video in the official client), or why ReactOS just barely runs and Wine has taken years to get to the point where it can only just run most things after HUGE investment of time and money from thousands of programmers when all it needed to "know" was the public API that everyone was programming against anyway, not even how Windows implements it?
It's technically correct. I wouldn't rely on a program to hold some "secret" way of connecting to somewhere. But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.
Re: (Score:2)
But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.
I have intuited that you have posted that reverse-engineering is difficult.
I have reverse-engineered your post. Took less time than having my own opinion!
Re: (Score:2)
To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).
Just a minor point - the GOG version of MOO prompts for the ship just like the retail game did, but it doesn't care which one you choose. They did work around it somehow.
Re: (Score:2)
I was informed previously that MOO's copy protection isn't a "get it wrong and get thrown out".
What happens is that the game gets stupidly, impossibly hard if you fail the copy protection checks but it takes a long time to see the actual effect.
Re: (Score:2)
No, that's incorrect. It would end your game and delete the saved game associated with it. You absolutely knew immediately if you had failed the copy protection check.
Re: (Score:1)
I was referring specifically to reverse-engineering source code, which as you acknowledge is just a matter of tooling.
From there the difficulty level depends on what you want to do with that source.
If the aim is to patch in back doors or surveillance, that isn't likely to require a thorough understanding of the how the software works, and a well-resourced attacker certainly ought be able to pull it off.
If the aim is to re-engineer a compatible or competing product, without directly plagiarizing the original
torrent? (Score:2)
Unbelievably naive top management (Score:2, Insightful)
If you're dumb enough to give your source, or any other monetizable data to the Chinese, Indians, Pakistanis, etc. don't be surprised to find it suddenly (ahem) "stolen."
VMWare has nobody but it's naive, insular, overly trusting top management to blame. They have no effective legal recourse. What did they think would prevent this, a gentleman's' agreement?
Re: (Score:1)
...and nothing of value was lost (Score:2)
Re: (Score:2)
Did they have anything to teach the rest of the world about virtualization to begin with? I know I've ready plenty of posts here on how IBM was doing this with VM/CMS decades ago, complete with many of the facilities we associate with VMware.
What VMware got good at was making x86 virtualization work, given the x86 platforms inherent limitations and lack of native virtualization abilities (IIRC, ESX was released long before Intel added VT, to whatever degree that helps).
I this point, I think you're largely
It still amazes me... (Score:2)
...how any company thinks placing industrial secrets on a World-facing node can in any way be described as a smart decision?
Or was it done deliberately?
Old code (Score:2)
From the confirmation on VMware site
Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.
So, they have an 8-9 year old version of the source code. That is ESX version 2/2.5, right? If that is the case, not much was lost and most of the code has changed. This is before hardware virtualization and even 64-bit support.
Unless the hacker posts something indicating a newer version, then there doesn't seem much to worry about.