[–] WholyShit 0 points 0 points (+0|-0) ago 

I major in Cyberspace Security, and am affiliated with the USAF.

I'm not worried about it. Most companies have already patched it, and most VMs have the floppy disk emulator disabled by default.

It's only a minor issue for those who can not easily update a fix over a wireless network. This excludes the Java and Microsoft ones.

Not at all worried on a significant scale.


[–] finlandia [S] 0 points 1 points (+1|-0) ago 

I agree here, felt since it's pretty high profile at the moment it would be a good topic of discussion for getting this subverse off the ground. I share your sentiment, it's one of those exploits that seems to need a certain level of things "just lining up correctly" to be exploited, such as the correct hypervisor being in use on the target system. Also to be noted is that many of the companies who have these softwares rolled out en masse may already be patched since they do a certain level of modification to the hypervisor in order to tailor it to their needs, which may include disabling the floppy controller.


[–] Yofelli 0 points 0 points (+0|-0) ago 

Once the exploit goes public what happens next is just 'business as usual' operations for IT teams around the world 'a new patch to be released, let's integrate it within our next maintenance'.

Now the real question is not the 'after' but the before, how long this exploit has been around and how many groups could have used it to gather intelligence are real questions to be addressed. Clearly you have to be within the knowledge of the provider xyz cloud VM's allocation to give out educated guesses but one thing that is true is that no provider does risk assesment. You will have pet-shop front vm's sitting next to your e-business without you being knowledgeable. PetShop got owned and then they jumped on your vm getting access to private keys, documentations etc.

In a globalized economy the informations gathered from small businesses are golden as more than often they work with bigger firms. You get names, transactions, subcontracts,etc. Pin point enough data and you have now intelligence to start good old social engineering to gather more knowledge and sell it to competitors or blackmail the owners for shady actions.


[–] WholyShit 0 points 0 points (+0|-0) ago  (edited ago)

I agree with your first paragraph. It's already out. I'd bet people whose job it is to identify these things new well before the public.

Why do you say that no provider does risk assessment? People get paid to do it.

I have no idea what Pet Shop is. What exactly are you talking about?

Why do you assume that small businesses work with bigger firms? I run two businesses with partners. One in the field of Web design and one in the field of electronic cigarettes. Neither work with bigger firms.

I honestly don't understand the point of your post. That's not to say I'm trying to invalidate it. I just don't get what you are trying to say.