Category Archives: Security

History, Security

VMware Security Note: ESX Source Posted

Leave a comment

The VMware Security Response Center has just posted the following announcement

Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers

Update, April 25th: I’ve been contacted to discuss this story in more detail. Here are some general points I have made.

  • VMware is being proactive in notifying customers and the public. They will provide further details if/when necessary but you can see from the announcement that they are attentive to risk and assessing it thoroughly. There was no prior announcement.
  • The breach of the China National Electronic Import-Export Company (CEIEC) at the start of this month (Apr 2nd) is being reported as related to this announcement. The US Government imposed sanctions against CEIEC in December of 2006 (FR Doc No: E6-22630) under “Section 3 of the Iran and Syria Nonproliferation Act”.
  • Do not download files from the CEIEC breach without taking special precaution against malware and exploits

2nd Update, April 25th: The Register has posted a blurry image of the stolen code, covered in “Death Card” images. That is probably an historical reference to the “Ace of Spades,” which has been popularised as a victory taunt in American pop-culture.

The actual effect of the card, however, is far from what has been depicted in Hollywood and thus likely to be different from what was intended by those releasing the ESX code. Its history and effect is explained in detail by PsyWarrior, who includes a quote attributed to “Lieutenant Colonel William J. Beck who commanded the 4th PSYOP Group from 15 October 1967 to 7 October 1968”:

Any survey of the PSYOP program in Vietnam reveals that many psy-operators are frustrated by the lack of signs of tangible success in the PSYOP effort…Perhaps in an attempt to overcome this deficit many appear to be impressed with the values of what can only be called propaganda gimmicks. This includes the use of the ace of spades, special lighting effects, and ghostly loudspeaker broadcasts.

This aspect, unfortunately has often reduced idea formation on the part of these operators and staff to the level of “gimmicky” and more or less desperate attempts to find a quick solution and dramatic breakthrough. This is not good PSYOP.

The Ace of Spades, therefore, appears historically to be a reference to attackers who struggle from “lack of signs of tangible success”.

Security

Bait Car – Surveillance Setup Tricks

Leave a comment

Super Circuits has an amusing story of how they simplified the setup of a “bait car”

Can you visualize this? The space we were working in was 2”X5” wide, with Jake trying to squeeze his hand into this small space and attempting to attach a camera on the side of the opening with two different glues going. Although we did manage to get it to work, it took a couple of hours, two people and several attempts.

There had to be a better way.

I walked away from this situation thinking “it shouldn’t be this hard”. Obviously, there isn’t an option, nor does it make sense, to redesign vehicles around camera installations. So with that off the table, I was left trying to figure out what I could do to make it easier for people whose primary job is not installing electronic components, but is to capture the bad guy with the assistance of electronic components. Here’s what we came up with.

The answer is foam.

Sailing, Security

Low Speed Chase Memorial

Leave a comment

Earlier, I wrote about the tragedy of Low Speed Chase. A touching and beautiful memorial was held on Saturday on the water near the San Francisco Yacht Club.

Below is a brief capture I made at the memorial, as we passed by the bagpiper on Farallon.

Low Speed Chase Memorial Pipes (6MB mp4)

I’ve compressed the video significantly (from 80MB) but left the audio alone. The buzzing in the background is from a helicopter flying overhead.

Update: A Sikorsky S-64 Skycrane helicopter left Half Moon Bay Airport and reached the Farallon Islands in 15 minutes, picked up the boat and returned. This was the last week to retrieve the boat before the Islands would be closed and protected as a bird sanctuary until October.

Security

Wood Helmets

Leave a comment

A company in Oregon is out to prove that wood helmets make more sense than the foam and plastic ones everyone loves to hate.

Wood Helmet

Wood…can, with sufficient energy, be crushed and absorb significant energy, just as the EPS in most bicyle helmets is designed to do. Different species of wood have somewhat different properties of course and even within the same species different samples of wood behave somewhat differently. But almost any sample of wood is capable of absorbing more energy than the types of plastics typically used in mass produced bicycle helmets.

[…]

What this means for helmets is that, when used in the shell, wood can help absorb the energy of dangerous impacts to a degree that is not currently available through helmets with plastic or composite shells. Wood typically absorbs energy best at energies somewhat higher than the high density EPS that most bicycle, skate, motorcycle and ski helmets use. This means that the wood shell provides significant protection over a greater spectrum of impact energies.

One small problem remains. Very small production numbers means they cost two to three times a plastic helmet. Increasing production would beg the question of sustainable source material. Ok, that’s two problems. But the latter seems easy to solve. Price (setting aside issues of fashion/coolness) is a big barrier to helmet adoption, not a lack of energy absorption.