The Xena Blog

This is pretty cool but the security implications are horrendous...

The virtual machines in each lab can talk to each other, but other vlabs don't exist to them. So, you could really screw up the virtual servers but I'm not sure that you could do much beyond that. Security is a good point, though - I'm looking into these a bit more and security is a feature that I'd definitely want to bring up. (I don't, for instance, like the idea of a browser session being live to the Internet in the lab).

Actually, all you can screw up is your own Virtual Machine. From a security standpoint, you can make them as secure as you want. I once ran a whole rack of these VMs for a training classroom. Students would email me all them time telling me how they had hacked my machines and jerked with this or that. They never took down the host... just made it so they couldn't run their own lab. Worst case scenario... you just start over. MSDN has been running these for over a year without a serious problem. The live browser is an option that can be toggled on or off so, turn it off for your lab.

Now the question is: Would you want to see a feature like this for MSDN Subscribers? I'm thinking about scenarios where a Tech Preview is released, but rather than downloading 5GB of content you spend an hour or two goofing with it in the Lab, then download it or not. Would anyone find this useful? Would you be willing to pay extra for it? (It's actually more expensive for us to deliver the lab than the download) What types of environments and features would you want to see? I'm in the Vision stage on this so if anyone has any good ideas now's a great time to get them to me.

A

It's more expensive, but I think the VLab delivery removes a bunch of the barriers to trying new products. I get to play, but I don't have to hack up one of my machines to add the demo and then take it out. I'd probably try things that I normally wouldn't just because it is easier to get to. How about a service like MP3.com or ITunes (or MSN). You could "pay as you go".

I'm a trainer.. what I really want is someone to package up the labs to all of the MS Learning content and make them available to the MCTP community.

All MS Learning content would probably take up a fairly serious amount of storage, but I take your point. I do know that TechNet is doing some stuff around past MS Learning content and labs, but (ironically) I don't know what MSDN's plans are in this space if anything.

Andy,

The outgoing internet connection was the biggest issue I found in my 10 minutes looking at the vlab.

I realize these are just images and if someone "breaks" it you can simply overwrite the image with a backup. And I understand the point Smitty makes - but if a true hacker wanted "root" then they don't want to control the virtual server instance - they want to control the server hosting the instance.

I'm not a hacker, don't pose to be one but I wonder about the following:

1) Possibility of uploading/downloading files to the vlab instance and or compiling custom code by copy and paste or using VBscripts. Possibly turning the instance into a zombie or network scanner.

2) Buffer overflows, hard to limit externally on items such as as internet browsers, in a vlab session there are literally thousands of executables that could be run that may be susceptible. I was able to view the filesystem by simply typing "\" in the address bar of windows explorer and by simply typing "cmd" in the run command.

3) Would infinite loops crash the server hosting the session?

4) What about the network? I would sincerely hope that there are firewalls between the virtual server and any other machines that may contain sensitive info.

I want to reiterate that I still think its cool. I believe the best way to learn is to do things "hands-on". Just keep in mind that some of the first hackers were college students using a shared terminal with time-limits ;-)

Gabe

Thanks for the feedback, I'll be adding these as requirements into a vLab spec I'm working on now.

A