Comments on: Fear for the Sake Of Fear? Hyper-Jacking Myths? http://toutvirtual.com/blogs/2008/09/10/fear-for-the-sake-of-fear-hyper-jacking-myths/ Best Practices Guide to Virtualization - From Getting Started with Virtualization to Advanced Strategic Virtualization Concepts Wed, 07 Jan 2009 03:49:05 +0000 http://wordpress.org/?v=2.0.2 by: Schorschi http://toutvirtual.com/blogs/2008/09/10/fear-for-the-sake-of-fear-hyper-jacking-myths/#comment-12419 Tue, 28 Oct 2008 07:43:25 +0000 http://toutvirtual.com/blogs/2008/09/10/fear-for-the-sake-of-fear-hyper-jacking-myths/#comment-12419 Actually, you just made the point for me. You do not hype Hyper-Jacking? Of course you don't, because it is not, as yet, reality at all. I suggest that instead of you decrying what you don't like in my blog versus what you think is better in your blog, you consider what is really going on, do some home work. I have never tried to compare my blog to anyone's blog, I consider that bad form. Regardless of why or what you may think about my blog, the point is, many authors have been misleading about Hyper-Jacking, especially authors in so called major publications. They should be more careful, and more actuate, as you have stated you are, in presenting real issues and real threats to the less technical oriented in the world? For the record, C2 and C3 ratings are not lame or weak evaluations. Trying developing a product and passing C2 review, it is not trival nor light weight. EAL is one thing, whereas C2 is another. Again, respectfully suggest some home work on your part. Actually, you just made the point for me. You do not hype Hyper-Jacking? Of course you don’t, because it is not, as yet, reality at all. I suggest that instead of you decrying what you don’t like in my blog versus what you think is better in your blog, you consider what is really going on, do some home work. I have never tried to compare my blog to anyone’s blog, I consider that bad form. Regardless of why or what you may think about my blog, the point is, many authors have been misleading about Hyper-Jacking, especially authors in so called major publications. They should be more careful, and more actuate, as you have stated you are, in presenting real issues and real threats to the less technical oriented in the world? For the record, C2 and C3 ratings are not lame or weak evaluations. Trying developing a product and passing C2 review, it is not trival nor light weight. EAL is one thing, whereas C2 is another. Again, respectfully suggest some home work on your part.

]]> by: Christofer Hoff http://toutvirtual.com/blogs/2008/09/10/fear-for-the-sake-of-fear-hyper-jacking-myths/#comment-12382 Mon, 27 Oct 2008 20:10:12 +0000 http://toutvirtual.com/blogs/2008/09/10/fear-for-the-sake-of-fear-hyper-jacking-myths/#comment-12382 I don't know which one of the blog entries in the group you were talking about when you referenced the "article" in question, so I can't respond to your point directly. However, this set of statements is hysterical: "Unfortunately, this article is misleading. The key virtualization platforms that dominate the industry have been certified and vetted, against known methods and techniques, something this article, among others,never explains and thus never provides a balanced view of the issue. Of course, no one is secure against new techniques and methods, but this article does not explain that point well either, it raises questions, nothing more." Certified and vetted? Against known methods and techniques? Buahahaha. So, you're referencing which certifications, exactly? Common Criteria? Up to EAL 4, perhaps? That's not exactly difficult to achieve and doesn't require semiformal or formal design verification, and they do NOT certify or vet that hypervisors cannot be subverted or that guests cannot escape. And as far as vetting them against "known" methods, that's hardly the issue when referencing on-going research that has shown recently that abuse of device drivers and DMA can lead to all sorts exploits. Further, if you read my blog or attended my presentations, you'd discover that I don't hype hyperjacking or virtualization malware at all -- just the opposite. I presented both sides of the argument in the cited collection of blog pieces above. How you get fog/fud out of any of them is beyond me. I don’t know which one of the blog entries in the group you were talking about when you referenced the “article” in question, so I can’t respond to your point directly.

However, this set of statements is hysterical:

“Unfortunately, this article is misleading. The key virtualization platforms that dominate the industry have been certified and vetted, against known methods and techniques, something this article, among others,never explains and thus never provides a balanced view of the issue. Of course, no one is secure against new techniques and methods, but this article does not explain that point well either, it raises questions, nothing more.”

Certified and vetted? Against known methods and techniques? Buahahaha. So, you’re referencing which certifications, exactly? Common Criteria? Up to EAL 4, perhaps? That’s not exactly difficult to achieve and doesn’t require semiformal or formal design verification, and they do NOT certify or vet that hypervisors cannot be subverted or that guests cannot escape.

And as far as vetting them against “known” methods, that’s hardly the issue when referencing on-going research that has shown recently that abuse of device drivers and DMA can lead to all sorts exploits.

Further, if you read my blog or attended my presentations, you’d discover that I don’t hype hyperjacking or virtualization malware at all — just the opposite.

I presented both sides of the argument in the cited collection of blog pieces above. How you get fog/fud out of any of them is beyond me.

]]>