Joanna Rutkowska took the time to respond to my "open letter" that I wrote this weekend regarding her presentation at RSA. I truly appreciate that. It was a little barbed, but so was mine, but all's fair in love and blogging.
I chortled, however, when I realized that I was deserved of a response only for the following reasons:
1) technorati.com reported the blog’s authority as above 100 which suggests it has a reasonable number of readers, and also
2) because I believe this is a good example of the social engineering techniques used by my opponents
I just about coughed my latte through my nose when I read that.
Just to be clear, Joanna, I'm not an "opponent" and despite your assertions, I don't provide PR services for anyone. I *do* however rather like the fact that you've anointed me with the madly-133t-skillz of a social engineer. ;)
Let me make it perfectly clear (because I don't think I have) that I find your research incredibly interesting and your work compelling. What I question is the relevancy across use cases and the way in which you choose to present it. This is despite your bemoaning to the contrary, the way in which you surrender your words to the fates (i.e. the press) and seem powerless to be able to ensure what you said is printed in context accurately.
Rather than continue the enthralling debate regarding the vagaries of municipal fire codes, let me get to the meat of the redress which is what I focused on in the first place: what you said and what you may have meant to say are two different things, Joanna.
2. Type I vs. Type II hypervisors confusion.
Hoff then switches to the actual content of the presentation and writes this:
“When I spoke to you at the end of your presentation and made sure that I understood correctly that you were referring specifically to type-2 hosted virtualization on specific Intel and AMD chipsets, you conceded that this was the case.”
This simply is an incorrect statement! On the contrary, when describing the security implications of nested virtualization (which was the actual new thing I was presenting at the RSA), I explicitly gave an example of how this could be used to compromise type I hypervisors. Kindly refer to slides 85-90 of my presentation that can be downloaded here.
I said that the code we posted on bluepillproject.org indeed targets type II hypervisors and the only reason for that being that it has been built on top of our New Blue Pill code that was designed as a Windows kernel driver.
This is exactly why I and a couple of other folks came up to speak with you at the end of your talk. It was not at all clear as to which case you were referring. I humbly accept the responsibility for a lack of cognition here. When I sought that clarification, you specifically answered as I mention above which confirmed my understanding. To that end, the gentleman behind me responded "Yeah, that's what I wanted to ask, too" and thanked you for the clarification. Now you're suggesting that what we heard was not what you said...
3. Shit not giving. Mr. Hoff goes even further:
“When I attempted to suggest that while really interesting and intriguing, your presentation was not only confusing to many people but also excluded somewhere north of 80% of how most adopters have deployed virtualization (type-1 "bare-metal" vs. type-2 hosted) as well as excluding the market-leading virtualization platform, your response (and I quote directly) was: I don't give a shit, I'm a researcher.”
Now that was a hard blow! I understand that the usage of such a slang expression by an Eastern European female during an informal conversation with a native speaker must have made an impression on him! However, I couldn’t give such an answer to this very question, simply because of the reasons given in point #2 (see above).
I don't care whether you're an "Eastern European female" or a cross-dressing circus clown from Bolivia. What does concern me is that first you suggest that your making that statement must have been shocking to me and then you immediately maintain you didn't say it...and you throw in the gender card! Nice.
Joanna, your dismissal using this exact phrasing is exactly what got me riled up. Your dishonesty and/or confusion about what you said and what you think you said is the entire point you're missing...except hysterically you claim you are a victim of the very issue I highlight:
So, then Hoff quotes the Forbes article that was written after my presentation and accuses me that the article (written by some Forbes reporter) was too sensationalist. I definitely agree the article was very sensationalist (but correct) and when I saw the article I even got angry and even wanted to write a blog about it (but as the article was actually correct, I had no good arguments to use against it).
And you know why I was so angry? Because I actually spent over 40 minutes with this very Forbes reporter in the RSA’s speaker’s lounge just after my speech, I spent that time on clarifying to that guy what my presentation was about and what it was not about and what was the main message of the presentation. Still, the reporter had his own vision of how to write about it (i.e. make it into a sensation) and I hardly, as it turned out, could do anything about it…
Perhaps the fault is ours, but perhaps you should accept some of the responsibility here, too? If you continue to be misunderstood, misquoted, and misrepresented, perhaps it has something more to do with than the fact that your intellect is "...too technical for an average CISSP to understand it?" Perhaps you are hard to understand? Perhaps you don't do a good job of explaining? Perhaps the language gap is confusing things?
Look, I find the following assertion really interesting, and had you allowed me to ask the question, would have loved to have discussed it with you further:
"Keep[ing] hypervisors simple, do not put drivers there, as otherwise we would get to the same point where we are with current OSes these days, i.e. no kernel security at all!”
...but I didn't get a chance to. I actually resonate with your assertion. I didn't bring it up because that's not what I had a problem with.
Finally, to your closing point:
Now I wonder, maybe Christofer Hoff doesn’t do PR for any VMM vendor, maybe he just didn’t listen carefully to my presentation. Maybe he’s just one of those many guys who always know in advance what they want to hear and selectively pick up only those facts that match their state of mind? Otherwise, why would he not realize that my presentation was actually a pro-virtualization one and needed no (false) counter-arguments?
I came to your presentation the way I do to every other I attend. With an open mind, open ears and a closed mouth. I listened carefully, was confused by what I thought were contradictory statements between your slides and what you were saying and sought clarification. Upon clarification and subsequent condescending dismissal, I closed my mouth and my ears and formed my conclusion based upon your response.
Perhaps you'll use this as an opportunity to reflect upon how you present and interact with people. Perhaps you won't. I know I will. Either way, I appreciate your research and your response to my "letter."