Posts in General

VMworld 2006: ReAssure (CERIAS), VIX and Lab Manager (VMware)

Tuesday, November 07, 2006 by Pascal Meunier in General, R&D,

The conference is surprisingly huge (6000 people). Virtualization is obviously important to IT now. I am looking forward to the security-related talks (I'll post about them later). Here are a few notes from the sessions I attended:

Saturday a VMware team shot a video of yours truly talking about ReAssure (of course I became tongue-tied when the camera was turned on!). It will be presented at the general session Wednesday morning. I hope it generates interest in ReAssure!
The VIX API on Tuesday morning was a very interesting session. It will enable the remaining automation functionality of ReAssure. It allows to automate the powering on and off of virtual machines, the taking of snapshots, transfering files (e.g., results) between the host and guest OS, and even starting programs in the guest OS! It was introduced with VMWare server 1.0 last summer, but I hadn't noticed. It is still work in progress though; there's support only for C, Perl and COM (no Python, although I was told that there was a source forge project for that).
The VMware lab manager (introduced last summer) is very much like ReAssure. Except, ReAssure doesn't have IP conflicts, and in ReAssure all experiments ("deployed configurations") are independent and their traffic is isolated with VLANs. In some respects, VMware lab manager is more sophisticated, and in others it is more primitive. For example, all networks in Lab Manager are flat (and even, all experiments share the same network, apparently), whereas ReAssure supports complex networks. To resolve IP conflicts, Lab Manager uses "fenced networks" which is a NAT hack. Lab Manager is also limited to fibre channel NAS, and is tied to VMware ESX while disabling most of what makes ESX flexible and interesting (ReAssure uses the VMware server freeware). I'm excited about the VIX API (see above) because will bring ReAssure beyond lab manager, by allowing snapshots, suspend and resume functionality, etc...I wonder what I need to do to make ReAssure more well-known and adopted. I haven't found any bugs in it for a while, so I think I'll officially release the first final (not beta) version very soon (e.g., Friday or next week).

Leave a comment (0 so far) »

Irony: See Wikipedia

Monday, November 06, 2006 by spaf in General,

[tags]malicious code, wikipedia, trojan horse,spyware[/tags] Frankly, I am surprised it has taken this long for something like this to happen: Malicious code planted in Wikipedia. The malicious advertisement on MySpace from a while back was a little similar. Heck, there were trojan archives posted on the Usenet binary groups over 20 years ago that also bring this back to mind -- I recall an instance of a file damage program being posted as an anti-virus update in the early 1980s! Basically, anyone seeking “victims” for spyware, trojans, or other nastiness wants effective propagation of code. So, find a high-volume venue that has a trusting and or naive user population, and find a way to embed code there such that others will download it or execute it. Voila! Next up: viruses on YouTube?

[posted with ecto]

Leave a comment (0 so far) »

The Dilbert Blog: Electronic Voting Machines

Tuesday, October 31, 2006 by spaf in General, Kudos, Opinions and Rants,

Once again, Scott Adams cuts to the heart of the matter. Here's a great explanation of what's what with electronic voting machines. The Dilbert Blog: Electronic Voting Machines

Leave a comment (0 so far) »

Now THIS is how to have secure passwords!

Tuesday, October 24, 2006 by spaf in General, Secure IT Practices,

Someone sent the following to me as an example of how to ensure secure passwords Microsoft claims this message is an error. However, I think we all can see this is simply a form of extreme password security of the sort I wrote about in this post.

Who do you trust?

Tuesday, October 10, 2006 by spaf in General, Kudos, Opinions and Rants, Secure IT Practices,

In my earlier posts on passwords, I noted that I approach on-line password “vaults” with caution. I have no reason to doubt that the many password services, secure email services, and other encrypted network services are legitimate. However, I am unable to adequately verify that such is the case for anything I would truly want to protect. It is also possible that some employee has compromised the software, or a rootkit has been installed, so even if the service was designed to be legitimate, it is nonetheless compromised without the rightful owners knowledge. For a similar reason, I don't use the same password at multiple sites -- I use a different password for each, so if one site is “dishonest” (or compromised) I don't lose security at all my sites. For items that I don't value very much, the convenience of an online vault service might outweigh my paranoia -- but that hasn't happened yet. Today I ran across this: MyBlackBook [ver 1.85 live] - Internet's First Secure & Confidential Online Sex Log! My first thought is “Wow! What a way to datamine information on potential hot dates!” :-) That quickly led to the realization that this is an *incredible* tool for collecting blackmail information. Even if the people operating it are legit (and I have no reason to doubt that they are anything but honest), this site will be a prime target for criminals. It may also be a prime target for lawyers seeking information on personal damages, divorce actions, and more. My bottom line: don't store things remotely online, even in “secure” storage, unless you wouldn't mind that they get published in a blog somewhere -- or worse. Of course, storing online locally with poor security is not really that much better.....

Leave a comment (0 so far) »

Recent Blogs

Blog Archive

Posts in General

Page Content

VMworld 2006: ReAssure (CERIAS), VIX and Lab Manager (VMware)

Recent Blogs

Blog Archive