With Determina, VMware drops fortress mentality
And tries to undo the Blue Pill confusion.
By Robert McMillan, IDG News Service | Techworld | Published: 09:00, 12 May 2008
VMware says it's received a bad rap when it comes to security.
The company's problems started with a 2006 presentation at the Black Hat security conference by Joanna Rutkowska, CEO of Invisible Things Lab. Ironically, Rutkowska's "Blue Pill" talk had nothing to do with VMware. It was about creating undetectable malicious software using the virtualisation technology built into microprocessors.
But nevertheless, VMware is the world's best-known virtualisation company, so any questions about virtualisation and security "naturally became a VMware problem," said Nand Mulchandani, the company's senior director for security products.
"Blue Pill kind of set things off, but unfortunately it set things off on the wrong foot," he said. Soon VMware was fielding questions from worried customers. "They escalated it to our team and they said, 'Oh my God, we're going to get attacked by Blue Pill. What do we do?'"
Mulchandani has been trying to get the message across that the Blue Pill CPU virtualisation hack is not connected to VMware's software, which is widely used on datacentre servers to simultaneously run many copies of the operating system on a single computer.
It's one of several security messages that Mulchandani is trying to convey these days, as the company looks to repair its reputation in the security community while developing new products that will keep it one step ahead of rivals.
Critics say VMware must shoulder some of the blame for the Blue Pill confusion and that it harmed itself by attacking Blue Pill in company blog postings. "They took the easy route, which was to attack Joanna's research," said Tom Liston, a senior security consultant with Intelguardians Network Intelligence. "It was just a big brouhaha with VMware jumping in where they didn't belong."
The feud with Rutkowska flared up at a low point in the company's relationship with independent security researchers. Employees who had been working with researchers like Liston left, and by early 2007 the company had developed a reputation as being unresponsive to bug reports, something Mulchandani calls "Fortress VMware."
Mulchandani says the issue was simply that VMware didn't have the people in place to respond to the community. That changed, however, with the company's 2007 acquisition of intrusion-prevention software vendor Determina.