VMware Confirms Source Code Leak

← Back to Stories (view on slashdot.org)

VMware Confirms Source Code Leak

Posted by samzenpus on Wednesday April 25, 2012 @11:00AM from the like-a-sieve dept.

Gunkerty Jeb writes "Purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to 'Hardcore Charlie,' an anonymous hacker who has claimed responsibility for the hacks. In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident."

109 comments

Min score:

Reason:

Sort:

Nationality of hackers? by noh8rz3 · 2012-04-25 11:04 · Score: 4, Interesting

Hmm, I wonder where the hackers are based, and if it is state sponsored. Software code is the bet industrial espionage, because you can re-implement it yourself. My prediction - keep an eye onn the market to see who's the first to release a VMware clone!
1. Re:Nationality of hackers? by Anonymous Coward · 2012-04-25 11:13 · Score: 1
  
  You can't really identify who's the culprit if the code is already leaked on the internets...anyone can just take the code and build from there, even if they were never involved in the hacking/leaking that took place.
2. Re:Nationality of hackers? by Anonymous Coward · 2012-04-25 11:38 · Score: 0
  
  keep an eye onn the market to see who's the first to release a VMware clone
  You mean like Xen, KVM, and Hyper-V?
3. Re:Nationality of hackers? by Alien+Being · 2012-04-25 14:26 · Score: 1
  
  It doesn't really matter. China will gladly allow their country to profit from this theft while America will continue to bend over and take an ass-fucking by paying good money to them for chintz.
4. Re:Nationality of hackers? by SurfsUp · 2012-04-26 04:50 · Score: 1
  
  It sure smells like the same group that hacked Google, using laptops running Windows inside the corporate network as the attack vector. Google's solution was to ban Windows on laptops inside the corporate network (which now requires authorization from a VP) and VMware should do that too.
  
  --
  Life's a bitch but somebody's gotta do it.
Wait, Vmware code stolen from China Military by icebike · 2012-04-25 11:05 · Score: 5, Interesting

Talk about burying the lead!

This VMware source code reportedly was stolen from Chinese military contractor CEIEC, the China National Electronics Import-Export Corporation. VMware code wasn't the only target.
What was the the Chinese military contractor doing with the VMWare source code anyway? And what other software packages were affected?
Hackers hack, that's what they do. But Chinese military contractors with VMWare source code in hand seems a much bigger story if you ask me. Did they have a license to it? Can anyone get a license to it? And if so, why is this a big deal?
Vmware says:

VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.

They can't have it both ways, stating in the same memo that the code was stolen and also "proactively shared". What the heck does proactively shared mean any way? Sending out sensitive hyper-visor source code to foreign military contractors seems at best, ill advised, but then to turn around and act all surprised and defensive when someone steals it from them seems a bit of a stretch.

--
Sig Battery depleted. Reverting to safe mode.
1. Re:Wait, Vmware code stolen from China Military by jhoegl · 2012-04-25 11:06 · Score: 1
  
  Where did you see the picture which showed their surprise?
  Anyways, it looks like VMWare is going open source soon!
2. Re:Wait, Vmware code stolen from China Military by twotailakitsune · 2012-04-25 11:16 · Score: 0
  
  They want virtualization to grow. Shareing their code with other people working in the virtualization industry improves code both ways. Here they are talking about people who have little reason to improve the industry. The code can be used to censer people. Like Nuke power. It can be used for good. Bad people could use it for good too, but they are more likely to use for evil.
3. Re:Wait, Vmware code stolen from China Military by rsmith-mac · 2012-04-25 11:17 · Score: 4, Informative
  
  What was the the Chinese military contractor doing with the VMWare source code anyway?
  VMWare routinely shares its source code with major customers, particularly those that need it to add support for new hardware. There's no reason to believe that there aren't companies in China who need it for those purposes too.
4. Re:Wait, Vmware code stolen from China Military by wmbetts · 2012-04-25 11:20 · Score: 4, Informative
  
  It's very common with government contracts for the vendor to supply the source code for an audit. If the vendor won't supply the source code they don't get the contract, because other vendors will be happy do this. It even happens with a lot of DoD contracts. I'm sure it happens in other parts of the US Government as well.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
5. Re:Wait, Vmware code stolen from China Military by DigiShaman · 2012-04-25 11:21 · Score: 0, Troll
  
  What was the the Chinese military contractor doing with the VMWare source code anyway?
  If I had to take a guess, most likely it was a case of corporate espionage. Many engineering folk are of Asian descent in the US. Specifically Chinese, Indian, and Korean nationalities. So sure, Chinese had political ties back home hoping to garner favors for extended family back home and themselves. Generally not done out of patriotism, but for self political gain. This shit happens all the freaking time!
  
  --
  Life is not for the lazy.
6. Re:Wait, Vmware code stolen from China Military by megabeck42 · 2012-04-25 11:26 · Score: 2
  
  Have you read the email shown in the image from the first link(threatpost.com)? It's dated 2003 and it's describing how to optimize the thread local storage local descriptors introduced to linux around that time. If the source code is related to that, then it's likely irrelevant at this point. A lot has happened in the past 9 years.
  
  --
  fnord.
7. Re:Wait, Vmware code stolen from China Military by wmbetts · 2012-04-25 11:30 · Score: 2
  
  Assume the PRC has seen the source to any product they use, because they probably have even if the company openly denies it.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
8. Re:Wait, Vmware code stolen from China Military by X0563511 · 2012-04-25 11:33 · Score: 1
  
  The code can be used to censer people.
  Care to explain how that one works? It's a hypervisor.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
9. Re:Wait, Vmware code stolen from China Military by sjames · 2012-04-25 11:56 · Score: 1
  
  That is, they 'proactively shared' the source with the Chinese Military. The source was liberated from there and posted in public.
10. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-25 11:57 · Score: 0
  
  VMware shares source code via their Community Source program. No idea if that's how the Chinese military got the code.
11. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-25 12:04 · Score: 0
  
  Well that's what you get for being "pro"-active. They should have just shared it actively. What imbecile invented that word anyway and why does everybody have to use it when a simpler word that already existed would do?
12. Re:Wait, Vmware code stolen from China Military by bertok · 2012-04-25 12:05 · Score: 5, Informative
  
  Who modded this informative?
  VMware has mostly proprietary products. What little open source they have is there only because they are forced to by their use of Linux in ESX.
  All of their core products are completely closed source, and released as binary only.
  They are about as open source as Microsoft.
13. Re:Wait, Vmware code stolen from China Military by Junta · 2012-04-25 12:14 · Score: 4, Informative
  
  Close enough to be accurate, but they do have some incidental open source content that isn't related at all to Linux kernel or userland. For example, their multiboot boot loader is open source and multiboot module boot has zero applicability to a linux system. But still none of the 'meat' of their products is open source, just things like administrative utilities and boot loader and other necessary fluff that provides no value for vmware..
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
14. Re:Wait, Vmware code stolen from China Military by AK+Marc · 2012-04-25 12:25 · Score: 3, Informative
  
  Actively Shared:
  
  They gave it when asked.
  
  Proactively Shared:
  
  They anticipated the request, and so shared before being asked.
  
  Those are distinct and non-interchangeable meanings. There is no simpler word that has that exact meaning.
  
  --
  Learn to love Alaska
15. Re:Wait, Vmware code stolen from China Military by jkgamer · 2012-04-25 12:41 · Score: 3, Insightful
  
  I'm sorry but If I knew VMware was dealing with and supplying source code of of an ordinarily closed source product to the Chinese military I WOULD NOT PURCHASE THAT PRODUCT.
  Nobody in their right mind should use something that PRC could see the source to, but they themselves could not.
  What kind of xenophobic rant is that? What the hell is the Chinese military going to do to your Ubuntu distribution running in a virtual machine? I'll bet there is a lot of source code that they see that you aren't privy to. How many of those automotive computer systems are built in China/Taiwan? Plan to do a lot of horseback riding do you? I think its a far stretch to assume that just because they have seen the source code to something they are going to spend the time and manpower to turn it into some world domination thing. It would be more likely that they were given access to the source code to evaluate how secure it was.
16. Re:Wait, Vmware code stolen from China Military by VoidCrow · 2012-04-25 12:50 · Score: 2
  
  Perhaps if it runs a virtual machine simulating an environment in which the incense might be lit?
17. Re:Wait, Vmware code stolen from China Military by sjames · 2012-04-25 13:38 · Score: 2
  
  Proactive is a good word to indicate that action is taken in anticipation of a need rather than reactive to say action is taken in response to a need. Unfortunately, it is frequently abused to mean any sort of action but I want you to believe it was somehow virtuous (most often when it is nothing of the sort). I'm guessing they probably shared the code reactively.
18. Re:Wait, Vmware code stolen from China Military by jd2112 · 2012-04-25 14:03 · Score: 1
  
  Not forced, just easier to use an existing OS with wide hardware support than to roll thier own including a gazillion device drivers.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
19. Re:Wait, Vmware code stolen from China Military by jd2112 · 2012-04-25 14:06 · Score: 1
  
  And to prove that the US (or other) government hasn't added code to spy on them, etc.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
20. Re:Wait, Vmware code stolen from China Military by bigstrat2003 · 2012-04-25 15:45 · Score: 1
  
  Sending out sensitive hyper-visor source code
  How on earth is the source code for a hypervisor "sensitive"?
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
21. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-25 17:07 · Score: 1
  
  It's not stolen. It's copied. Vmware still has it.
22. Re:Wait, Vmware code stolen from China Military by spudnic · 2012-04-25 17:22 · Score: 1
  
  So sharing source code proves this how? Couldn't they just include the spying mechanism before they create the binary that actually ships?
  
  --
  load "linux",8,1
23. Re:Wait, Vmware code stolen from China Military by bill_mcgonigle · 2012-04-25 17:57 · Score: 1
  
  All of their core products are completely closed source, and released as binary only.
  ESX is now open source, but only for the bad guys.
  *non-OSI definition
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
24. Re:Wait, Vmware code stolen from China Military by WindBourne · 2012-04-25 18:22 · Score: 1
  
  Does it matter if it is current or not? What this shows, if true, is that China is busy cracking away at the west. Now, to be honest, most know it. However, you have ppl that run around and scream that the West does it, or that China does not mean anything bad by it, etc. etc. etc.
  
  In the end, just because we see something nearly 10 years old, does not mean that they do not have newer stuff.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
25. Re:Wait, Vmware code stolen from China Military by Rebelgecko · 2012-04-25 18:26 · Score: 1
  
  If you have the source, it's not very hard to create your own binaries
  
  --
  CATS/Diebold '08- All your vote are belong to us!
26. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-25 19:41 · Score: 0
  
  Really? Try this for me. Build Firefox. Go ahead, just build it. Now, take your build and try to create an md5 identical version as the one you download from their site. Have fun with that. (Short summary is you won't unless they've drastically changed their build process in the past few years)
  Comparing source to a binary can be a surprisingly non-trivial task.
27. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-25 20:05 · Score: 0
  
  Yep, done that - it was easy
28. Re:Wait, Vmware code stolen from China Military by Tastecicles · 2012-04-25 20:29 · Score: 1
  
  what, you mean like the source code for the NT kernel?
  The Chinese have that, too.
  Are you going to stop using Windows?
  
  --
  Operation Guillotine is in effect.
29. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-25 20:36 · Score: 0
  
  Why the demand that it have the same checksum? There are going to be build strings in the binary (timestamp, build hostname, etc.) that will throw that off.
  Firefox isn't overly tricky to build. There are source .rpm's and source .deb's out there - those make it REALLY easy because all of the dependencies are listed and can be easily resolved. Hardest would probably be the Windows build.
  I don't really understand what you're whining about here.
30. Re:Wait, Vmware code stolen from China Military by jaymemaurice · 2012-04-25 21:18 · Score: 1
  
  I think he was trying to allude to that auditing the source, but not using the binary that is built from that source, is a pretty stupid audit. Since you cannot build the source and get the exact same hash of the binary, you can't conclude the binary was derrived from the source. However, if you were the chinese military and so concerned, you may use the binary you built from the source... or more likely you wouldn't be using VMWare anyway because it's too complicated to control all variables and likely unneeded.
  
  --
  120 characters ought to be enough for anyone
31. Re:Wait, Vmware code stolen from China Military by KiloByte · 2012-04-25 21:21 · Score: 1
  
  You mean, breaking out of a sandbox has no security-breaching uses?
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
32. Re:Wait, Vmware code stolen from China Military by jaymemaurice · 2012-04-25 21:30 · Score: 1
  
  What the hell is the Chinese military going to do to your Ubuntu distribution running in a virtual machine?
  Whatever the hell they want... bugs in the hypervisor could allow you access to the running memory or file system of the virtual machines... possibly from a less secure neighbouring virtual machine.
  Sure, it's not the most likley thing to happen to your Ubuntu... but proof of concept bugs have been put together (and fixed I think) that allow one VM to get data from the processor cache of another VM (on certain CPUs). Encryption keys/passwords/etc may not be as safe in a VM as they are in a stand alone PC. Does the difference matter?? Should it matter, probably not.
  
  --
  120 characters ought to be enough for anyone
33. Re:Wait, Vmware code stolen from China Military by wshyang · 2012-04-25 23:55 · Score: 1
  
  It's not stolen. It's copied. Vmware still has it.
  Yes VMWare still has it, except now a new company by the name of "erawmw.cn" is now happy to sell you a copy of their latest "class leading" virtualisation software for US$1.
34. Re:Wait, Vmware code stolen from China Military by Mana+Mana · 2012-04-26 00:41 · Score: 1
  
  > Who modded this informative?
  Indeed!
  > All of their core products are completely closed source
  To peons like you and I: yes.
  > They are about as open source as Microsoft.
  Funny. You must be new around here. The bigs will share their secret sauce with clients---if they are BIG enough. MS has shared Windows code with China---going back years, check the /. archives---e.g., to ease Chinese fears there are no back doors for the USA to spy on them. Ironical, I know. *G*
35. Re:Wait, Vmware code stolen from China Military by RCL · 2012-04-26 02:29 · Score: 1
  
  They shared the sources with Russia as well, for similar reasons (to obtain necessary certificates).
  
  --
  Coding etudes
36. Re:Wait, Vmware code stolen from China Military by RCL · 2012-04-26 02:35 · Score: 1
  
  I can't say for China, but in Russia there are governmental institutions that work on "detecting superfluous functionality" in licensed software (foreign or otherwise). This doesn't include just building and comparing, a lot of other work needs to be done which is akin to unit-testing the code.
  
  --
  Coding etudes
37. Re:Wait, Vmware code stolen from China Military by lipanitech · 2012-04-26 02:44 · Score: 1
  
  They are a major vendor in visualization I like there product I hope they don't fall victim like Symantec did not so long ago.
  
  --
  http://thetechnologygeek.org/
38. Re:Wait, Vmware code stolen from China Military by Anonymous Coward · 2012-04-26 02:59 · Score: 0
  
  How many of those automotive computer systems are built in China/Taiwan? Plan to do a lot of horseback riding do you?
  A) I'm pretty sure the automotive computer system in my 67 Chevelle wasn't built in Taiwan or China.
  B) If an automotive computer system was built in Taiwan, the PLA doesn't have access to it (yet).
39. Re:Wait, Vmware code stolen from China Military by Lashat · 2012-04-26 03:26 · Score: 1
  
  I can't speak of the totatlity of VMware software being open source or not.
  However, the Linux 2D/3D driver is open source http://cgit.freedesktop.org/xorg/driver/xf86-video-vmware
  It is also available in the recent Linux kernel releases.
  
  --
  For every benefit you receive a tax is levied. - Ralph Waldo Emerson
40. Re:Wait, Vmware code stolen from China Military by Coren22 · 2012-04-26 07:36 · Score: 1
  
  Funny how both of you miss-capitalized the name, it is VMware.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Set it free!!!!! by commo1 · 2012-04-25 11:09 · Score: 0

In all seriousness, this is a perfect example of why (most) source code should be open-source. Closed-source software depends on "you can't see inside this black box"/"security by obscurity" measures that are vulnerable because they cannot be made more secure by the community.
1. Re:Set it free!!!!! by Anonymous Coward · 2012-04-25 11:21 · Score: 0
  
  Can also go the other way, can be made more vulnerable by the community too.
2. Re:Set it free!!!!! by cavreader · 2012-04-25 12:29 · Score: 1
  
  There are some software applications that require a high degree of coordination and management to produce. Some types of software also require the cooperation of 3rd parties to ensure the system you are building will handle certain functionalities. You may even need to create a test bed to reproduce the security related issue. These types of things cost money. Why should anyone be expected to automatically open source their code before they have a chance to at least recoup the expenses incurred in the development process? And the "many eyes" security approach is laughable and naive in the extreme. How many developers actually posses the skills needed to analyze a complex application code base and spot security problems just by stepping through the code? I have seen a lot of bug fixes and new functionality in open sourced projects but I have not seen any conclusive examples of someone addressing a security related issue. I am sure there might actually be some instances of this happening but placing your faith on the "many eyes" approach is just bad advertising.
3. Re:Set it free!!!!! by b4dc0d3r · 2012-04-25 15:05 · Score: 1
  
  On the other side of the coin, it's a lot easier to make money when your customers can't just download and compile your code.
  Situations like this actually are a pretty good balance between keeping the source closed, but allowing customers to verify that it doesn't have any secret back doors or obvious security flaws. Many companies do this, and foreign governments and companies seem okay with the arrangement.
4. Re:Set it free!!!!! by Bert64 · 2012-04-25 18:09 · Score: 1
  
  Making source available for everyone to view doesn't mean that you have to integrate any code changes that anyone else sends you.
  I do feel quite insulted by the "only big customers see the source" model tho, source should be available to everyone on equal terms even if they release it under non open terms (eg you can build/view/modify internally, but not distribute it in any way).
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
5. Re:Set it free!!!!! by Bert64 · 2012-04-25 18:14 · Score: 1
  
  Just because sourcecode is open, doesn't mean you can't make money from it. RedHat release most of their code and yet they are highly profitable.
  There are plenty of people who are able to find security problems, even in binary applications... If you keep the source closed, then there is a high likelihood of it getting leaked anyway, and then you have a situation where the blackhats have an advantage over the whitehats who wouldnt want to associate themselves with leaked code.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:Set it free!!!!! by Bert64 · 2012-04-25 18:41 · Score: 1
  
  You can easily release the code under terms that prohibit use of the code without paying the appropriate fees.
  It's also equally possible to just download and run the binaries without paying, this is generally called "piracy" or "warez".
  The "balance" you talk of, is actually a pretty horrible imbalance, it provides an unfair advantage to larger companies and blackhats, while unfairly discriminating against smaller companies and independent whitehat researchers.
  The BSDi approach was actually a much better one, as a paying customer (even a very small one) you got the sourcecode as part of the deal and could modify it to suit your needs internally, but you weren't allowed to redistribute it (or any modifications you made) to third parties.
  Releasing your source under such terms doesn't make you worse off, but does make things better for many of the customers and may even bring in new customers. Also although the customers are not allowed to distribute their changes to third parties, there is nothing stopping them contributing bugfixes etc back to the original supplier, so you might actually get some free development out of your users.
  Speaking of which, something i utterly detest is software with onerous license enforcement code, that is code which tries to verify that you are in compliance with the license terms and then inhibits functionality (ie causes a denial of service) if it believes you are not. Such software provides NO benefit to the customer, but it does bring a significantly increased risk - there have been many cases of license enforcement code incorrectly triggering and causing all kinds of unnecessary problems for paying customers (i believe vmware had such a problem a couple of years ago for instance).
  Non paying customers, eg pirates, run cracked versions where this code is removed and thus generally have a more stable product.
  I think such functions should simply not exist, they are entirely detrimental to paying customers. By all means implement a feature which verifies license compliance and displays or logs a warning if a problem is detected, that is actually useful to help companies ensure they are in compliance, but under no circumstances should the software take intentional acts to disrupt the users.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
7. Re:Set it free!!!!! by jaymemaurice · 2012-04-25 21:52 · Score: 1
  
  Passwords/public key encryption etc. are all "security by obscurity" as well... sure open source software allows the community to see exploitable bugs, but it doesn't mean the community will notice or fix them. You can, however, be sure at least one community member will be able to remove any license checks and one will release an exploit - that wouldn't have been able to had they not seen the source.
  The only valid argument you can use to counter this is that anyone who has the means and motive will get access to the source anyway... but thats pretty weak.
  Deffence in depth. VMWare has a large team of staff who review code changes and do regression tests against the software... the community is probably of little value now and having closed source adds another layer.
  
  --
  120 characters ought to be enough for anyone
8. Re:Set it free!!!!! by Anonymous Coward · 2012-04-26 01:37 · Score: 0
  
  Waaaah. You aren't paying them any money so why should they bother showing you anything?
9. Re:Set it free!!!!! by psmears · 2012-04-26 01:38 · Score: 1
  
  Passwords/public key encryption etc. are all "security by obscurity" as well...
  No they're not. Sure, you have to keep them secret, but the key thing is that the security of the whole system doesn't pivotally depend on just your password: if you suspect your password has been compromised, you can very quickly and easily change it, and the system is then no less secure than it was before (give or take any damage done while your password was known). On the other hand, if security depends on your source code not being available (because it does uber-secret stuff), and it then gets leaked, there's nothing you can do to put the genie back in the box, short of rewriting your entire software...
  
  --
  Need to type accents and special characters in Windows? Use FrKeys
10. Re:Set it free!!!!! by jaymemaurice · 2012-04-26 04:00 · Score: 1
  
  Sure, passwords/keys can be changed - but I don't suspect many companies that release closed source software (that they release/make available to partners) are too concerned about their security being completely compromised to the point of needing to rewrite everything due to a source code leak. After all, source code can be patched and re-built... just like passwords and keys changed... and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security related bugs weather the software is open or closed source. There is lots of out of dat open source software with major holes floating around in the wild...
  
  --
  120 characters ought to be enough for anyone
11. Re:Set it free!!!!! by tlhIngan · 2012-04-26 04:24 · Score: 1
  
  Making source available for everyone to view doesn't mean that you have to integrate any code changes that anyone else sends you.
  I do feel quite insulted by the "only big customers see the source" model tho, source should be available to everyone on equal terms even if they release it under non open terms (eg you can build/view/modify internally, but not distribute it in any way).
  It's more of a risk thing. When you release the source to your crown jewel product, you're trusting the other side to abide by the terms of the license. If they're a big company, they'd want to because it's a lot easier to go after ONE big company that has money.
  If they released it to all customers, then you're trusting that the person who asks for it will abide by the license. If it turns out to be some student who decided to share with his 1,000,000 "friends" over BitTorrent, you're possibly sunk - there's no way to recover any money from them and now it's spread.
  That's the main reason. Plus if five of your customers have it and it leaks out, there's only 6 possible origins for the leak - you and the 5 companies. A lot easier than say, 100.
  And yes, it extends to open-source as well - I'm sure there are tons of GPL violations out there, but it's so small scale and such that it goes unnoticed. The big open-source guys already respect the license, and the guys with money settle.
12. Re:Set it free!!!!! by psmears · 2012-04-26 05:22 · Score: 1
  
  After all, source code can be patched and re-built... just like passwords and keys changed...
  It can... but the difference is that, once I know my password is compromised, changing my password takes seconds—whereas analysing a code problem, coding a fix, testing it, distributing it to customers and having them deploy it can take months or even years.
  
  and if you don't have the support to get the code changes completed and implimented, you'll still be affected by security related bugs weather the software is open or closed source. There is lots of out of dat open source software with major holes floating around in the wild...
  I'm not really sure what you're saying. Sure, open and closed source software may both have security bugs - which may or may not get fixed. But this doesn't change the fact that there is a significant difference between security by obscurity and using passwords/keys.
  
  --
  Need to type accents and special characters in Windows? Use FrKeys
13. Re:Set it free!!!!! by Bert64 · 2012-04-26 06:48 · Score: 1
  
  Never said it should be available for free, just that it should be available on equal terms for everyone. I would advocate that all paying customers receive (or have the right to receive) sourcecode, even if under non-open terms (ie no redistribution etc).
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
14. Re:Set it free!!!!! by Bert64 · 2012-04-26 06:56 · Score: 1
  
  You mean like trusting your customers to abide by the terms under which you distribute binaries to them?
  Having the source spread is no worse than having the binaries spread. In either case pirates will redistribute it, and there are still customers who will pay. Most corporate customers for instance will not even consider using a pirate copy, and will buy your original no matter how widespread copies are on torrent sites.
  Also most pirates won't care about the source, and will just continue pirating the binaries as they have done for years. People who are capable of compiling and/or modifying source are usually developers themselves and more likely to respect copyrights.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
15. Re:Set it free!!!!! by Anonymous Coward · 2012-04-26 15:26 · Score: 0
  
  Wrong. I work as a software developer and still pirate 100% of the software I use at home. Why pay when I can get it for free, right?
16. Re:Set it free!!!!! by cavreader · 2012-04-26 15:45 · Score: 1
  
  I never said you cannot make money on open source software but this applies only to people or companies whose business model is centered around providing support and bug fixes. Redhat adopted a business model based on charging for support but that option is not universal. The original post on this thread intimated that all source code should be automatically open sourced from the first release.
17. Re:Set it free!!!!! by Bert64 · 2012-04-26 23:43 · Score: 1
  
  "more likely" != "always", there are always exceptions.
  And the fact that you pirate software for which you don't have the source just goes to show that releasing sourcecode isn't going to have any impact on piracy.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
How it probably went down... by Anonymous Coward · 2012-04-25 11:25 · Score: 1, Insightful

"Hey, Chien, it costs waaaaay too much for these VMWare licenses. it's too bad we can't build our own."
"Well, they did give us the source code. But they'd get mad at us."
"Not if we tell them it was stolen."
"proactively shared" by nurb432 · 2012-04-25 11:33 · Score: 1

So means that the code is already available if you wanted it bad enough. *yawn*.
I can see reasons for it to be shared, like when companies want to tightly integrate their products and the published API's aren't at a low enough level to do it. Other companies do this too.
Problem is that today's friends are often tomorrows enemies. ( just look at the OS/2 debacle between IBM and Microsoft .. )

--
---- Booth was a patriot ----
Ahh here comes the cloud hack! by NetNinja · 2012-04-25 11:45 · Score: 1, Informative

I am waiting for my " I told you so!" moment.
Chinese contractors, Non Us Citizen contractors. Yes yes the cheapest bidders! As long as everyone is making thier 10% on thier stocks everyone is happy right?
1. Re:Ahh here comes the cloud hack! by zlives · 2012-04-25 14:58 · Score: 1
  
  and wher would you direct the hate if it was US hackers that leaked the code... because they never do that :)
Shouldn't matter in theory by Junta · 2012-04-25 12:20 · Score: 4, Informative

No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.
While they have probably had viable reason to keep it closed (ESXi did enjoy a pretty secure technical advantage), it's probably approaching time for them to open source the hypervisor since there is now pretty viable competition from KVM and Xen nowadays. They currently are trying to hold their core technology capabilities hostage to force upsell into their management stack (e.g. the many features that are disabled except through vCenter that aren't really inherently requiring vCenter), but that strategy doesn't work when the prospective customers can jump ship pretty easily to less restrictive technologies.

--
XML is like violence. If it doesn't solve the problem, use more.
1. Re:Shouldn't matter in theory by Anonymous Coward · 2012-04-25 13:13 · Score: 1
  
  ESXi did enjoy a pretty secure technical advantage
  Yeah, right.
  With ESX there was a perfectly functional firewall based on iptables. When ESXi came out, VMware removed the firewall, then had the gall to claim it's MORE secure because it's based on busybox instead of ESX being based on redhat.
  Some time later, VMware realized they were idiots and put the firewall back in ESXi 5.
2. Re:Shouldn't matter in theory by DeSigna · 2012-04-25 15:44 · Score: 1
  
  What benefit would VMware gain from open sourcing the hypervisor?
  Feature wise they're well ahead of the pack, especially when you add in the full vSphere environment. If they did open source it, they would just be donating all those nifty features to the OSS hypervisors. There's already ample competition to keep them on their toes.
  Xen and KVM don't really play in the same space as VMware, they seem to be pointed more at high end environments, like VPS hosting or "clouds", where licensing costs hit hard, you've got a large staff and there is ample scope for automation and customisation. VMware aims for simple, scalable and easy to manage.
3. Re:Shouldn't matter in theory by x3CDA84B · 2012-04-25 17:39 · Score: 1
  
  No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability. If VMWare legitimately has cause for concern, they were doing it wrong from the start.
  Meanwhile, in the real world, every piece of software has flaws, and now VMWare's are likely to be discovered very quickly.
4. Re:Shouldn't matter in theory by Bert64 · 2012-04-25 18:45 · Score: 1
  
  Only because the source code is leaked rather than open, white hat researchers won't touch it for reasons of legal liability... Thus, only black hats will be reading the source code looking for vulnerabilities, and then using those vulnerabilities for nefarious means rather than seeking to have them fixed.
  Meanwhile, most of vmware's competitors have been open from the start so the low hanging fruit will have already been taken.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
5. Re:Shouldn't matter in theory by drsmithy · 2012-04-26 01:13 · Score: 1
  
  Thus, only black hats will be reading the source code looking for vulnerabilities [...]
  Right. Because VMware would never audit their own code.
No need source by jedwidz · 2012-04-25 13:08 · Score: 2, Funny

If you're serious you don't need source code anyway. Once you have the executable object code (as a paying customer or whatever), you can reverse engineer source code easily enough.
The original source code just makes it easier to understand how the object code works. And if the original source is sparsely commented, or the object code includes debugging info, the benefits are less.
Source code is most useful for situations where you don't have access to the object code, such as hosted services, embedded systems, etc.
1. Re:No need source by Anonymous Coward · 2012-04-25 13:53 · Score: 0
  
  Good luck with Skype.
2. Re:No need source by ledow · 2012-04-25 19:51 · Score: 4, Insightful
  
  That's certainly true, if you think that a reverse-engineer's time is free.
  There have been successful reverse-engineering projects, of course, but nowadays it's pretty much out of most people's realm unless there's EXTREME interest in doing so. By the same token, you could say that you could "just" reverse-engineer Windows and it's as simple as that. Not quite. You could "just" reverse-engineer Steam, too, but that's not really been done either.
  Modern software projects are HUGE compared to even 10 years ago. A 50Mb executable barely raises eyebrows anymore, and that's not even getting all the associated libraries and DLL's. Of course it's possible, but it's far from viable unless you have some extreme impetus to do so and are willing to spend years.
  It took something like 5 years to "reverse engineer" Transport Tycoon (the OpenTTD project is from a reverse-engineering of the original DOS executables by ludde, I believe, the same guy who started ScummVM by reverse-engineering the SCUMM-engine games) - and that used lots of modern tools on a tiny, ancient DOS executable for a game that used well-known standard languages of the time and still took years to do. To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).
  Now think about any decent size modern software project and the chances are that it would take either a VERY dedicated team years, or a particular individual decades to get close to reverse-engineering it (in which time, they could quite literally just write an equivalent themselves anyway). VMWare is hardly a simple piece of software, probably one of the most complicated you can make, what with having to have intimate and perfect knowledge of the machine you're on and the one you're emulating and dealing with all the middle-layers in-between to ensure it works. You probably couldn't reverse-engineer it (certainly not "clean-room" standard) for less than the time/price it would cost to just build your own.
  There was a time when you could just throw an executable through simple utilities to get equivalent C source and then work from there to add detail so that you end up with C source that compiles back to the original (or equivalent) and that can be understood by your average programmer. You still can, in fact. But it's not an Sunday afternoon job. And now it's orders-of-magnitude more complex than it used to be back in the hey-day of reverse-engineering executables.
  The chances of any modern program being manually reverse-engineered (honestly - this isn't something that can be done automatically and the results understood enough to actually do anything useful with) are slim just because of the sheer extent of the effort involved and the complexity of modern software. You know how people complain that a Hello World is now a 1Mb executable? Multiply that up by something like VMWare's complexity.
  And above all that, reverse-engineering is one of THE most difficult things to do on a piece of software. The majority of programmers would never be able to do it. Why do you think there's no "free" program that can connect to Skype (which we have DOZENS of executables for and not one open-source reimplementation), or why Pidgin can't do video over most of the protocols it supports (that DO support video in the official client), or why ReactOS just barely runs and Wine has taken years to get to the point where it can only just run most things after HUGE investment of time and money from thousands of programmers when all it needed to "know" was the public API that everyone was programming against anyway, not even how Windows implements it?
  It's technically correct. I wouldn't rely on a program to hold some "secret" way of connecting to somewhere. But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.
3. Re:No need source by alphatel · 2012-04-25 23:36 · Score: 1
  But unless someone huge (government or corporate) has a really vested interested in breaking your program, reverse-engineering is probably never going to happen.
  I have intuited that you have posted that reverse-engineering is difficult.
  
  Software is complicated
  Companies have better things to do
  It's easier to write your own
  I have reverse-engineered your post. Took less time than having my own opinion!
  --
  When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
4. Re:No need source by CowTipperGore · 2012-04-26 01:56 · Score: 1
  
  To my knowledge, still nobody knows how to defeat the copy-protection on the original Master of Orion properly (GoG.com just give you a copy of the protection sheet as a PDF).
  Just a minor point - the GOG version of MOO prompts for the ship just like the retail game did, but it doesn't care which one you choose. They did work around it somehow.
5. Re:No need source by ledow · 2012-04-26 02:09 · Score: 1
  
  I was informed previously that MOO's copy protection isn't a "get it wrong and get thrown out".
  What happens is that the game gets stupidly, impossibly hard if you fail the copy protection checks but it takes a long time to see the actual effect.
6. Re:No need source by CowTipperGore · 2012-04-26 02:12 · Score: 1
  
  No, that's incorrect. It would end your game and delete the saved game associated with it. You absolutely knew immediately if you had failed the copy protection check.
7. Re:No need source by jedwidz · 2012-04-26 12:28 · Score: 1
  
  I was referring specifically to reverse-engineering source code, which as you acknowledge is just a matter of tooling.
  From there the difficulty level depends on what you want to do with that source.
  If the aim is to patch in back doors or surveillance, that isn't likely to require a thorough understanding of the how the software works, and a well-resourced attacker certainly ought be able to pull it off.
  If the aim is to re-engineer a compatible or competing product, without directly plagiarizing the original (as in the examples of ScummVM and Skype you mentioned), I agree that's going to be difficult and expensive. But still, having reverse-engineered source is going to help, not hinder.
torrent? by TheRealMindChild · 2012-04-25 13:46 · Score: 1

torrent lik plz

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Reason of hacking ? by Taco+Cowboy · 2012-04-25 13:47 · Score: 1

I am quoting tfa from arstechnica:

the hacker Hardcore Charlie told Reuters earlier this month that he hacked into CEIEC seeking information on the US military campaign in Afghanistan
Apparently that hacker hacked into CEIEC - a Chinese military contractor, - looking for information on US military campaign in Afghanistan
It's like hacking into the system owned by Palestinians looking for information regarding Israelis military campaign
Makes a lot of sense, doesn't it?

--
Muchas Gracias, Señor Edward Snowden !
1. Re:Reason of hacking ? by Luckyo · 2012-04-25 14:37 · Score: 3, Insightful
  
  Not really. China has a lot of intel presence in the region, and unlike US it will likely be less secure because it's not intel about THEIR OWN important operations.
  So it makes a lot of sense to go after China's data on US Afghan operations.
2. Re:Reason of hacking ? by Anonymous Coward · 2012-04-25 19:21 · Score: 0
  
  It's like hacking into the system owned by Palestinians looking for information regarding Israelis military campaign
  Makes a lot of sense, doesn't it?
  Palestine has a lot of resources dedicated to obtaining Israel's State secrets.
  If you can't break into the bank vault, wait for the other guy to rob it and steal it from him instead.
Unbelievably naive top management by gestalt_n_pepper · 2012-04-25 14:05 · Score: 1, Insightful

If you're dumb enough to give your source, or any other monetizable data to the Chinese, Indians, Pakistanis, etc. don't be surprised to find it suddenly (ahem) "stolen."
VMWare has nobody but it's naive, insular, overly trusting top management to blame. They have no effective legal recourse. What did they think would prevent this, a gentleman's' agreement?

--
Please do not read this sig. Thank you.
1. Re:Unbelievably naive top management by Anonymous Coward · 2012-04-25 15:01 · Score: 0
  
  So Indians Chinese and pakis are all same? Wowww I guess you are half monkey and half American
2. Re:Unbelievably naive top management by Anonymous Coward · 2012-04-25 20:40 · Score: 0
  
  If you're dumb enough to give your source, or any other monetizable data to the Chinese, Indians, Pakistanis, etc. don't be surprised to find it suddenly (ahem) "stolen."
  I'd find it hard to believe if it wasn't for the fact that my employer is starting to go down the same route. Give those nations our source code, secure it against misuse with an NDA/licensing agreement (hahahha), then sit back and watch the money roll in. What could possibly go wrong!
  I think this must mark the point VMWare jumped the shark. It seems they have gone from a tech company to being a "business" (if you know what I mean) run by PHBs. Oh well, it was nice knowing you VMWare.
3. Re:Unbelievably naive top management by Anonymous Coward · 2012-04-25 23:26 · Score: 0
  
  All the same? Hardly. But when dealing with the Asian companies, they've seemed much more likely to walk off with trade secrets and source code. They've also been much more engaged in bribery as a normal way of doing business: it's very confusing to Americans who tend to be very, very clumsy at bribery but fabulous at swapping insider secrets for stock manipulation.
4. Re:Unbelievably naive top management by mab · 2012-04-26 11:33 · Score: 1
  
  Well that is the way the US got rich. They pretty much ignored copyright when it suited.
...and nothing of value was lost by IGnatius+T+Foobar · 2012-04-25 14:52 · Score: 1

Well yes, VMware is still the market leader, but what would anyone do with this source code anyway? It's not as if VMware has anything left to teach the rest of the world about virtualization. The rest of the world has pretty much caught up and virtualization is a commodity now.

--
Tired of FB/Google censorship? Visit UNCENSORED!
1. Re:...and nothing of value was lost by Anonymous Coward · 2012-04-25 22:35 · Score: 0
  
  Well yes, VMware is still the market leader, but what would anyone do with this source code anyway?
  Pull your head out of your ass.
2. Re:...and nothing of value was lost by Anonymous Coward · 2012-04-25 22:59 · Score: 0
  
  I would like btrfs / softraid support in ESXi
  If I could hack it in reasonably with the source code I probably would.
3. Re:...and nothing of value was lost by swb · 2012-04-26 02:47 · Score: 1
  
  Did they have anything to teach the rest of the world about virtualization to begin with? I know I've ready plenty of posts here on how IBM was doing this with VM/CMS decades ago, complete with many of the facilities we associate with VMware.
  What VMware got good at was making x86 virtualization work, given the x86 platforms inherent limitations and lack of native virtualization abilities (IIRC, ESX was released long before Intel added VT, to whatever degree that helps).
  I this point, I think you're largely right in terms of the hypervisor itself, but IMHO what they still seem to have the lead on is the next logical step in virtualization, which is management of many hypervisors (and hence VMs).
Which theory? by bill_mcgonigle · 2012-04-25 17:54 · Score: 1

No matter how well you understand how a piece of software is implemented, it shouldn't expose any sort of vulnerability.
When you say, "in theory" you need to include psychology and sociology, not just computer science.
There's a reason people clean up code before they release it as open source.
there is now pretty viable competition from KVM and Xen nowadays
The difference is that Xen has been looked at by the good guys and the bad guys for years. Like it or not ESX is now open source (non-OSI definition), but only for the bad guys.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Carefulyl guarded secrets by Anonymous Coward · 2012-04-25 19:46 · Score: 0

This is going to have impact on virtualisation / emulation crowd. If the code for that was leaked, it means at least a decade of tricks and optimisations in emulation (which is quite hard to do to be performant) was just made available to lurkers.
It still amazes me... by Tastecicles · 2012-04-25 20:24 · Score: 1

...how any company thinks placing industrial secrets on a World-facing node can in any way be described as a smart decision?
Or was it done deliberately?

--
Operation Guillotine is in effect.
1. Re:It still amazes me... by Anonymous Coward · 2012-04-25 22:53 · Score: 0
  
  Where did you get this info?
Since it's a trade secret, what's the problem? by Anonymous Coward · 2012-04-25 21:31 · Score: 0

A trade secret loses protection when released. Therefore why on earth is this a problem for anyone other than the keeper of the Secret?
Why steal an inferior product source? by Anonymous Coward · 2012-04-26 00:17 · Score: 0

.. when the most performant solution is free.
KVM is far faster then VMware's solution and far less resource intensive and can host Windows, Linux (and OSX with a little patching currently) guests.
Oh yeah Threatpost Propaganda by Anonymous Coward · 2012-04-26 01:56 · Score: 0

Cutting through all the ego, bullshit and lies...
FUCK THREATPOST. and KASPERSKY THE FUCKIN NAZIS PROPAGANDA FEAR FACTORY.
use
http://www.h-online.com/
instead
And slashdot, STOP doin this shit. We get it you love DARPA and big brother.
Not Just VMWare by Anonymous Coward · 2012-04-26 02:48 · Score: 1

Other VMs had source leaks, too.
Xen had a source leak.
Virtualbox had a source leak.
Even KVM had a source leak.
These VM people better get their act together!
We don't spy on foreigners that way by s.petry · 2012-04-26 05:26 · Score: 1

if (LANG ~= en_US){DEFINE USE_TSA_SPYCODES}else{/*Fuck it, we are TSA */RETURN=0};

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Old code by nprz · 2012-04-26 09:24 · Score: 1

From the confirmation on VMware site

Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.
So, they have an 8-9 year old version of the source code. That is ESX version 2/2.5, right? If that is the case, not much was lost and most of the code has changed. This is before hardware virtualization and even 64-bit support.
Unless the hacker posts something indicating a newer version, then there doesn't seem much to worry about.