Misguided Opinion: Why does everyone care about the VMware source being “leaked?”
Suddenly, 17 days after the ‘leak press release’ was published by HardcoreCharlie to pastebin, the news story broke far and wide that VMware source code has been leaked.
Did anyone miss the fact that VMware makes their source available to partners via the TAP program?
To me it seems this “breach” was little more than some sysadmin at some reseller posting a torrent of the source; source that was already available to the “public” (albeit not general). The leak doesn’t appear to be an exfiltration of data from VMware’s servers, which would be actually scary.
This idea hasn’t stopped everyone from ThreatPost to ZDNet from posting about how VMware, them self, is “downplay[ing] any damage” the leak caused by stating “VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.”
Since VMware makes its source code available to third parties, then VMware clearly doesn’t seem to think that it is an asset that needs much protecting; just a restricted audience, or rather, an audience filled with paid seats. Therefore, there is no damage as far as VMware is concerned. It’s like stealing tax forms available in your local IRS office, publishing them online as a “leak,” then having the US government responding to “the event” by stating “yea, we don’t think it’ll hurt anyone who files their taxes.” This is not “downplay[ing] the damage,” as there is no damage.
It’s a shallow shaving off of the data chunk that is VMware’s IP, clearly; and a distraction from real threats and causes of exfiltration of data that their global customer base face on a daily basis. Due to the availability of the “leaked” data by VMware, this can barely be considered an exfiltration.
The probable fallout of the leak? Now that the source code may be available not only to commercial entities/partners in the TAP program, but to the world, we can expect the proliferation of exploits. This means that the “source code leak” will eventually cause an increase in security of the VMware kernel and platform. Good!
Or maybe it doesn’t matter. VMware should (and apparently does) have a security team that spends their time analyzing VMware’s software. Likely this security team is hard at work finding and working on patches for existing vulnerabilities in VMware code. Taking a look at the public CVEs for VMware, it’s clear that many people are hard at work doing just this, internal and external to VMware itself. I’m surprised more folks aren’t working hard to reverse patches.
I’d be interested in finding a link to the source code (and when I do, expect a link here), but for now, it’s just a pipe dream of Hardcore Charlie’s.
This brings up another interesting topic. Is it ethical for a search engine to delist results or not service searches containing a certain string if it is deemed dangerous? What defines “dangerous?”