Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Internet IT Technology

VMware Confirms Source Code Leak 109

Gunkerty Jeb writes "Purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to 'Hardcore Charlie,' an anonymous hacker who has claimed responsibility for the hacks. In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident."
This discussion has been archived. No new comments can be posted.

VMware Confirms Source Code Leak

Comments Filter:
  • by noh8rz3 ( 2593935 ) on Wednesday April 25, 2012 @07:04PM (#39801317)
    Hmm, I wonder where the hackers are based, and if it is state sponsored. Software code is the bet industrial espionage, because you can re-implement it yourself. My prediction - keep an eye onn the market to see who's the first to release a VMware clone!
    • by Anonymous Coward

      You can't really identify who's the culprit if the code is already leaked on the internets...anyone can just take the code and build from there, even if they were never involved in the hacking/leaking that took place.

      • I am quoting tfa from arstechnica:

        the hacker Hardcore Charlie told Reuters earlier this month that he hacked into CEIEC seeking information on the US military campaign in Afghanistan

        Apparently that hacker hacked into CEIEC - a Chinese military contractor, - looking for information on US military campaign in Afghanistan

        It's like hacking into the system owned by Palestinians looking for information regarding Israelis military campaign

        Makes a lot of sense, doesn't it?

    • It doesn't really matter. China will gladly allow their country to profit from this theft while America will continue to bend over and take an ass-fucking by paying good money to them for chintz.

    • by Anonymous Coward

      Other VMs had source leaks, too.

      Xen [xen.org] had a source leak.
      Virtualbox [virtualbox.org] had a source leak.
      Even KVM [linux-kvm.org] had a source leak.

      These VM people better get their act together!

    • by SurfsUp ( 11523 )

      It sure smells like the same group that hacked Google, using laptops running Windows inside the corporate network as the attack vector. Google's solution was to ban Windows on laptops inside the corporate network (which now requires authorization from a VP) and VMware should do that too.

  • by icebike ( 68054 ) * on Wednesday April 25, 2012 @07:05PM (#39801323)

    Talk about burying the lead!

    This VMware source code reportedly was stolen from Chinese military contractor CEIEC, the China National Electronics Import-Export Corporation. VMware code wasn't the only target.

    What was the the Chinese military contractor doing with the VMWare source code anyway? And what other software packages were affected?
    Hackers hack, that's what they do. But Chinese military contractors with VMWare source code in hand seems a much bigger story if you ask me. Did they have a license to it? Can anyone get a license to it? And if so, why is this a big deal?

    Vmware says:

    VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.

    They can't have it both ways, stating in the same memo that the code was stolen and also "proactively shared". What the heck does proactively shared mean any way? Sending out sensitive hyper-visor source code to foreign military contractors seems at best, ill advised, but then to turn around and act all surprised and defensive when someone steals it from them seems a bit of a stretch.

    • by jhoegl ( 638955 )
      Where did you see the picture which showed their surprise?
      Anyways, it looks like VMWare is going open source soon!
    • by rsmith-mac ( 639075 ) on Wednesday April 25, 2012 @07:17PM (#39801421)

      What was the the Chinese military contractor doing with the VMWare source code anyway?

      VMWare routinely shares its source code with major customers, particularly those that need it to add support for new hardware. There's no reason to believe that there aren't companies in China who need it for those purposes too.

      • by jd2112 ( 1535857 )
        And to prove that the US (or other) government hasn't added code to spy on them, etc.
        • by spudnic ( 32107 )

          So sharing source code proves this how? Couldn't they just include the spying mechanism before they create the binary that actually ships?

          • If you have the source, it's not very hard to create your own binaries

        • if (LANG ~= en_US){DEFINE USE_TSA_SPYCODES}else{/*Fuck it, we are TSA */RETURN=0};

      • They are a major vendor in visualization I like there product I hope they don't fall victim like Symantec did not so long ago.
    • by wmbetts ( 1306001 ) on Wednesday April 25, 2012 @07:20PM (#39801439)

      It's very common with government contracts for the vendor to supply the source code for an audit. If the vendor won't supply the source code they don't get the contract, because other vendors will be happy do this. It even happens with a lot of DoD contracts. I'm sure it happens in other parts of the US Government as well.

    • Have you read the email shown in the image from the first link(threatpost.com)? It's dated 2003 and it's describing how to optimize the thread local storage local descriptors introduced to linux around that time. If the source code is related to that, then it's likely irrelevant at this point. A lot has happened in the past 9 years.

      • Does it matter if it is current or not? What this shows, if true, is that China is busy cracking away at the west. Now, to be honest, most know it. However, you have ppl that run around and scream that the West does it, or that China does not mean anything bad by it, etc. etc. etc.

        In the end, just because we see something nearly 10 years old, does not mean that they do not have newer stuff.
    • So means that the code is already available if you wanted it bad enough. *yawn*.

      I can see reasons for it to be shared, like when companies want to tightly integrate their products and the published API's aren't at a low enough level to do it. Other companies do this too.

      Problem is that today's friends are often tomorrows enemies. ( just look at the OS/2 debacle between IBM and Microsoft .. )

    • by sjames ( 1099 )

      That is, they 'proactively shared' the source with the Chinese Military. The source was liberated from there and posted in public.

    • Sending out sensitive hyper-visor source code

      How on earth is the source code for a hypervisor "sensitive"?

    • by Anonymous Coward

      It's not stolen. It's copied. Vmware still has it.

      • It's not stolen. It's copied. Vmware still has it.

        Yes VMWare still has it, except now a new company by the name of "erawmw.cn" is now happy to sell you a copy of their latest "class leading" virtualisation software for US$1.

  • In all seriousness, this is a perfect example of why (most) source code should be open-source. Closed-source software depends on "you can't see inside this black box"/"security by obscurity" measures that are vulnerable because they cannot be made more secure by the community.

    • There are some software applications that require a high degree of coordination and management to produce. Some types of software also require the cooperation of 3rd parties to ensure the system you are building will handle certain functionalities. You may even need to create a test bed to reproduce the security related issue. These types of things cost money. Why should anyone be expected to automatically open source their code before they have a chance to at least recoup the expenses incurred in the devel

      • by Bert64 ( 520050 )

        Just because sourcecode is open, doesn't mean you can't make money from it. RedHat release most of their code and yet they are highly profitable.

        There are plenty of people who are able to find security problems, even in binary applications... If you keep the source closed, then there is a high likelihood of it getting leaked anyway, and then you have a situation where the blackhats have an advantage over the whitehats who wouldnt want to associate themselves with leaked code.

        • I never said you cannot make money on open source software but this applies only to people or companies whose business model is centered around providing support and bug fixes. Redhat adopted a business model based on charging for support but that option is not universal. The original post on this thread intimated that all source code should be automatically open sourced from the first release.

    • On the other side of the coin, it's a lot easier to make money when your customers can't just download and compile your code.

      Situations like this actually are a pretty good balance between keeping the source closed, but allowing customers to verify that it doesn't have any secret back doors or obvious security flaws. Many companies do this, and foreign governments and companies seem okay with the arrangement.

      • by Bert64 ( 520050 )

        You can easily release the code under terms that prohibit use of the code without paying the appropriate fees.

        It's also equally possible to just download and run the binaries without paying, this is generally called "piracy" or "warez".

        The "balance" you talk of, is actually a pretty horrible imbalance, it provides an unfair advantage to larger companies and blackhats, while unfairly discriminating against smaller companies and independent whitehat researchers.

        The BSDi approach was actually a much better one

    • Passwords/public key encryption etc. are all "security by obscurity" as well... sure open source software allows the community to see exploitable bugs, but it doesn't mean the community will notice or fix them. You can, however, be sure at least one community member will be able to remove any license checks and one will release an exploit - that wouldn't have been able to had they not seen the source.

      The only valid argument you can use to counter this is that anyone who has the means and motive will get acc

      • by psmears ( 629712 )

        Passwords/public key encryption etc. are all "security by obscurity" as well...

        No they're not. Sure, you have to keep them secret, but the key thing is that the security of the whole system doesn't pivotally depend on just your password: if you suspect your password has been compromised, you can very quickly and easily change it, and the system is then no less secure than it was before (give or take any damage done while your password was known). On the other hand, if security depends on your source code not being available (because it does uber-secret stuff), and it then gets leaked,

        • Sure, passwords/keys can be changed - but I don't suspect many companies that release closed source software (that they release/make available to partners) are too concerned about their security being completely compromised to the point of needing to rewrite everything due to a source code leak. After all, source code can be patched and re-built... just like passwords and keys changed... and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security

          • by psmears ( 629712 )

            After all, source code can be patched and re-built... just like passwords and keys changed...

            It can... but the difference is that, once I know my password is compromised, changing my password takes seconds—whereas analysing a code problem, coding a fix, testing it, distributing it to customers and having them deploy it can take months or even years.

            and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security related bugs weather the software is open or closed source. There is lots of out of dat open source software with major holes floating around in the wild...

            I'm not really sure what you're saying. Sure, open and closed source software may both have security bugs - which may or may not get fixed. But this doesn't change the fact that there is a significant difference between security by obscurity and us

  • by Anonymous Coward

    "Hey, Chien, it costs waaaaay too much for these VMWare licenses. it's too bad we can't build our own."

    "Well, they did give us the source code. But they'd get mad at us."

    "Not if we tell them it was stolen."

  • I am waiting for my " I told you so!" moment.

    Chinese contractors, Non Us Citizen contractors. Yes yes the cheapest bidders! As long as everyone is making thier 10% on thier stocks everyone is happy right?

    • by zlives ( 2009072 )

      and wher would you direct the hate if it was US hackers that leaked the code... because they never do that :)

  • by Junta ( 36770 ) on Wednesday April 25, 2012 @08:20PM (#39801857)

    No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.

    While they have probably had viable reason to keep it closed (ESXi did enjoy a pretty secure technical advantage), it's probably approaching time for them to open source the hypervisor since there is now pretty viable competition from KVM and Xen nowadays. They currently are trying to hold their core technology capabilities hostage to force upsell into their management stack (e.g. the many features that are disabled except through vCenter that aren't really inherently requiring vCenter), but that strategy doesn't work when the prospective customers can jump ship pretty easily to less restrictive technologies.

    • by Anonymous Coward

      ESXi did enjoy a pretty secure technical advantage

      Yeah, right.

      With ESX there was a perfectly functional firewall based on iptables. When ESXi came out, VMware removed the firewall, then had the gall to claim it's MORE secure because it's based on busybox instead of ESX being based on redhat.

      Some time later, VMware realized they were idiots and put the firewall back in ESXi 5.

    • by DeSigna ( 522207 )

      What benefit would VMware gain from open sourcing the hypervisor?

      Feature wise they're well ahead of the pack, especially when you add in the full vSphere environment. If they did open source it, they would just be donating all those nifty features to the OSS hypervisors. There's already ample competition to keep them on their toes.

      Xen and KVM don't really play in the same space as VMware, they seem to be pointed more at high end environments, like VPS hosting or "clouds", where licensing costs hit hard, you

    • No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.

      Meanwhile, in the real world, every piece of software has flaws, and now VMWare's are likely to be discovered very quickly.

      • by Bert64 ( 520050 )

        Only because the source code is leaked rather than open, white hat researchers won't touch it for reasons of legal liability... Thus, only black hats will be reading the source code looking for vulnerabilities, and then using those vulnerabilities for nefarious means rather than seeking to have them fixed.

        Meanwhile, most of vmware's competitors have been open from the start so the low hanging fruit will have already been taken.

        • by drsmithy ( 35869 )

          Thus, only black hats will be reading the source code looking for vulnerabilities [...]

          Right. Because VMware would never audit their own code.

    • No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability.

      When you say, "in theory" you need to include psychology and sociology, not just computer science.

      There's a reason people clean up code before they release it as open source.

      there is now pretty viable competition from KVM and Xen nowadays

      The difference is that Xen has been looked at by the good guys and the bad guys for years. Like it or not ESX is now open source (non-OSI definition),

  • by jedwidz ( 1399015 ) on Wednesday April 25, 2012 @09:08PM (#39802195)

    If you're serious you don't need source code anyway. Once you have the executable object code (as a paying customer or whatever), you can reverse engineer source code easily enough.

    The original source code just makes it easier to understand how the object code works. And if the original source is sparsely commented, or the object code includes debugging info, the benefits are less.

    Source code is most useful for situations where you don't have access to the object code, such as hosted services, embedded systems, etc.

    • Re:No need source (Score:5, Insightful)

      by ledow ( 319597 ) on Thursday April 26, 2012 @03:51AM (#39804137) Homepage

      That's certainly true, if you think that a reverse-engineer's time is free.

      There have been successful reverse-engineering projects, of course, but nowadays it's pretty much out of most people's realm unless there's EXTREME interest in doing so. By the same token, you could say that you could "just" reverse-engineer Windows and it's as simple as that. Not quite. You could "just" reverse-engineer Steam, too, but that's not really been done either.

      Modern software projects are HUGE compared to even 10 years ago. A 50Mb executable barely raises eyebrows anymore, and that's not even getting all the associated libraries and DLL's. Of course it's possible, but it's far from viable unless you have some extreme impetus to do so and are willing to spend years.

      It took something like 5 years to "reverse engineer" Transport Tycoon (the OpenTTD project is from a reverse-engineering of the original DOS executables by ludde, I believe, the same guy who started ScummVM by reverse-engineering the SCUMM-engine games) - and that used lots of modern tools on a tiny, ancient DOS executable for a game that used well-known standard languages of the time and still took years to do. To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).

      Now think about any decent size modern software project and the chances are that it would take either a VERY dedicated team years, or a particular individual decades to get close to reverse-engineering it (in which time, they could quite literally just write an equivalent themselves anyway). VMWare is hardly a simple piece of software, probably one of the most complicated you can make, what with having to have intimate and perfect knowledge of the machine you're on and the one you're emulating and dealing with all the middle-layers in-between to ensure it works. You probably couldn't reverse-engineer it (certainly not "clean-room" standard) for less than the time/price it would cost to just build your own.

      There was a time when you could just throw an executable through simple utilities to get equivalent C source and then work from there to add detail so that you end up with C source that compiles back to the original (or equivalent) and that can be understood by your average programmer. You still can, in fact. But it's not an Sunday afternoon job. And now it's orders-of-magnitude more complex than it used to be back in the hey-day of reverse-engineering executables.

      The chances of any modern program being manually reverse-engineered (honestly - this isn't something that can be done automatically and the results understood enough to actually do anything useful with) are slim just because of the sheer extent of the effort involved and the complexity of modern software. You know how people complain that a Hello World is now a 1Mb executable? Multiply that up by something like VMWare's complexity.

      And above all that, reverse-engineering is one of THE most difficult things to do on a piece of software. The majority of programmers would never be able to do it. Why do you think there's no "free" program that can connect to Skype (which we have DOZENS of executables for and not one open-source reimplementation), or why Pidgin can't do video over most of the protocols it supports (that DO support video in the official client), or why ReactOS just barely runs and Wine has taken years to get to the point where it can only just run most things after HUGE investment of time and money from thousands of programmers when all it needed to "know" was the public API that everyone was programming against anyway, not even how Windows implements it?

      It's technically correct. I wouldn't rely on a program to hold some "secret" way of connecting to somewhere. But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.

      • But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.

        I have intuited that you have posted that reverse-engineering is difficult.

        • Software is complicated
        • Companies have better things to do
        • It's easier to write your own

        I have reverse-engineered your post. Took less time than having my own opinion!

      • To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).

        Just a minor point - the GOG version of MOO prompts for the ship just like the retail game did, but it doesn't care which one you choose. They did work around it somehow.

        • by ledow ( 319597 )

          I was informed previously that MOO's copy protection isn't a "get it wrong and get thrown out".

          What happens is that the game gets stupidly, impossibly hard if you fail the copy protection checks but it takes a long time to see the actual effect.

          • No, that's incorrect. It would end your game and delete the saved game associated with it. You absolutely knew immediately if you had failed the copy protection check.

      • I was referring specifically to reverse-engineering source code, which as you acknowledge is just a matter of tooling.

        From there the difficulty level depends on what you want to do with that source.

        If the aim is to patch in back doors or surveillance, that isn't likely to require a thorough understanding of the how the software works, and a well-resourced attacker certainly ought be able to pull it off.

        If the aim is to re-engineer a compatible or competing product, without directly plagiarizing the original

  • torrent lik plz
  • If you're dumb enough to give your source, or any other monetizable data to the Chinese, Indians, Pakistanis, etc. don't be surprised to find it suddenly (ahem) "stolen."

    VMWare has nobody but it's naive, insular, overly trusting top management to blame. They have no effective legal recourse. What did they think would prevent this, a gentleman's' agreement?

  • Well yes, VMware is still the market leader, but what would anyone do with this source code anyway? It's not as if VMware has anything left to teach the rest of the world about virtualization. The rest of the world has pretty much caught up and virtualization is a commodity now.
    • by swb ( 14022 )

      Did they have anything to teach the rest of the world about virtualization to begin with? I know I've ready plenty of posts here on how IBM was doing this with VM/CMS decades ago, complete with many of the facilities we associate with VMware.

      What VMware got good at was making x86 virtualization work, given the x86 platforms inherent limitations and lack of native virtualization abilities (IIRC, ESX was released long before Intel added VT, to whatever degree that helps).

      I this point, I think you're largely

  • ...how any company thinks placing industrial secrets on a World-facing node can in any way be described as a smart decision?

    Or was it done deliberately?

  • From the confirmation on VMware site

    Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

    So, they have an 8-9 year old version of the source code. That is ESX version 2/2.5, right? If that is the case, not much was lost and most of the code has changed. This is before hardware virtualization and even 64-bit support.
    Unless the hacker posts something indicating a newer version, then there doesn't seem much to worry about.

e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer