The VMware Security Response Center has just posted the following announcement

Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers

Update, April 25th: I’ve been contacted to discuss this story in more detail. Here are some general points I have made.

• VMware is being proactive in notifying customers and the public. They will provide further details if/when necessary but you can see from the announcement that they are attentive to risk and assessing it thoroughly. There was no prior announcement.
• The breach of the China National Electronic Import-Export Company (CEIEC) at the start of this month (Apr 2nd) is being reported as related to this announcement. The US Government imposed sanctions against CEIEC in December of 2006 (FR Doc No: E6-22630) under “Section 3 of the Iran and Syria Nonproliferation Act”.
• Do not download files from the CEIEC breach without taking special precaution against malware and exploits

2nd Update, April 25th: The Register has posted a blurry image of the stolen code, covered in “Death Card” images. That is probably an historical reference to the “Ace of Spades,” which has been popularised as a victory taunt in American pop-culture.

The actual effect of the card, however, is far from what has been depicted in Hollywood and thus likely to be different from what was intended by those releasing the ESX code. Its history and effect is explained in detail by PsyWarrior, who includes a quote attributed to “Lieutenant Colonel William J. Beck who commanded the 4th PSYOP Group from 15 October 1967 to 7 October 1968”:

Any survey of the PSYOP program in Vietnam reveals that many psy-operators are frustrated by the lack of signs of tangible success in the PSYOP effort…Perhaps in an attempt to overcome this deficit many appear to be impressed with the values of what can only be called propaganda gimmicks. This includes the use of the ace of spades, special lighting effects, and ghostly loudspeaker broadcasts.

This aspect, unfortunately has often reduced idea formation on the part of these operators and staff to the level of “gimmicky” and more or less desperate attempts to find a quick solution and dramatic breakthrough. This is not good PSYOP.

The Ace of Spades, therefore, appears historically to be a reference to attackers who struggle from “lack of signs of tangible success”.

CDW has published a Data Loss Straw Poll with the headline “One in four organizations has experienced a data loss in the last two years.”

CDW’s Data Loss Straw Poll surveyed 654 IT professionals from business, financial services, healthcare and higher education about data loss and what’s still keeping them up at night.

That is a typically low sample. As I have explained in my RSA presentations since 2009, sample size really does matter. There are nearly 6 million companies in America. Are we confident to extrapolate from these 654 people?

They also make a strange assumption that IT managers actually sleep at night. I thought the whole idea of alerts and mobile devices was to prevent anyone in IT from ever sleeping again. CDW’s report centers around the obvious connection between a device that is always with you, delivering bad news, and a resulting anxiety that makes it difficult to relax or rest.

DATA LOSS = SLEEP LOSS […] MOBILITY TRIGGERS SLEEPLESS NIGHTS

I think it’s more accurate to say change triggers sleepless nights. Mobility is not new, but the changes in mobility that has been driven by consumers keeps IT from settling down. CDW also tries to make a statement of who is less tired, but I don’t buy this analysis at all:

Financial services organizations can sleep more soundly than their colleagues in other markets

I could make the argument, for example, that those sleeping more soundly have their phones turned off, or have their alerts disabled, or are simply unable to detect issues in real-time — they wake up rested and only then discover data loss. So there’s a false dichotomy of sleep versus security. You might actually be more secure when you are losing sleep…SLEEP LOSS = SAFETY?

In my 2010 presentation at RSA I used the Siege of Yodfat in 67 CE as an example of this exact issue.

The sentries slept at a particular time. An insider leaked that information to the Roman armies and enabled them to finally breach an impenetrable perimeter. In other words, they slept soundly because they thought they were safe enough to rest, which actually in itself created a weakness. The flip side of this argument is sustainability. Sleep loss is a resource management issue and begs the question of reserves, offsets (e.g. Basel II), etc. but rather than get into the deeper economics and history of managing loss here (I do that in my presentations) I just wanted to point out that the CDW report needs further analysis.