Personal anecdote: They came after us, since the extension phones home and they could track it to our ASN. Asked us for an audit of all installs of VB. The idea was that they wanted to then charge us big money for a corporate license.
Instead, IT banned it enterprise-wide. Which is sad, because we like it for Vagrant. We've since started moving all of our developer stuff to OpenShift, so we're not totally up a creek.
In the earlier licenses, "personal use" was just defined as the person using it being the same person as who installed it, and only one person remotely accessing the desktop at a time. So I had interpreted this as being OK for developer VMs in which the developer installs it themselves and uses it for their own development purposes. It also contained an "evaluation use" with a vaguely defined period.
The current license now defines "personal use" as explicitly non-commercial use, and adds more restrictions on client access that applies to any type of clients and not just remote desktop access, as well as explicitly defining the evaluation use period to being 30 days.
So while I didn't really have a concern about developers using VirtualBox with the extension pack previously, given the new license and the fact that they seem to be enforcing it via phoning home, it looks like it's time to set a policy of no one using it.
Luckily, we've already pretty much transitioned everything over to libvirt/KVM on Linux hosts, and people have generally been using VMWare or VMWare Fusion on Windows and Mac hosts.
I have a devops guy trying to push me to use Vagrant at the moment, but I am aware of these issues with virtualbox. I was thinking about using one of the lxc shims, but now you have me curious, how useful is openshift in that "I want to spin local vms up for testing" approach? I thought it was much more geared to server and not workstation, as opposed to vagrant.
Of course others are right, virt-manager is probably a better replacement I think.
So OpenShift (or OKD) is just Redhat's Kubernetes platform. If your dev team isn't already in a docker-like workflow, it's going to be a hard sell. I've found many devops-y people love to be able to SSH into the environment to change code as it runs, and that's not possible with an environment like this.
You can spin up KVMs in OpenShift, but I have the feeling it's not going to be quite what you're looking for. I suppose it's all going to be a matter of what workflow is most comfortable for your devops people. If you have an OpenStack install, Vagrant can control those AND they can login and poke around.
Also FYI virt-manager is deprecated in RHEL 8, and is superceded by Cockpit.
So one problem with that is not all of our team uses Linux, we're a Mac/Linux hybrid team. Our workflow was to edit the puppet manifests locally and then Vagrant up, and we wanted something that would work across different dev machines. However, the fussiness of environment setup started to go higher the further we got from VBox; our team didn't really want to invest time into a workflow that was supposed to be an intermediate step to our "end game" development pipeline, so we just left it. Thanks for the link though!
I don't know of any public references, but I can confirm this is happening to government entities as well. Oracle is being extremely aggressive and mounting what is essentially a phishing campaign against organizations that it sees accessing the extension download page. They are e-mailing employees directly and asking them to contact Oracle.
>Oracle is being extremely aggressive and mounting what is essentially a phishing campaign against organizations that it sees accessing the extension download page. They are e-mailing employees directly and asking them to contact Oracle.
Spamming employees with officious emails and hoping one of them is dumb enough to respond with pertinent information that subverts them or their organization is the textbook definition of phishing. What does it mean to you?
>Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication
"using virtualbox" isn't sensitive information. I haven't read the emails, but I doubt Oracle is disguising themselves as the company's IT department or something.
If you don't think information that subjects an entity to massive legal liability is sensitive, then I really don't understand where you're coming from.
The entire point of these emails is to bypass established channels by getting random employees to leak information. If they want licensing information, there's an IT point of contact for that. Or Contracts. Or Legal. They are literally fishing for information leakage that would give them grounds to sue.
> I doubt Oracle is disguising themselves as the company's IT department or something.
They wouldn't. At this stage the point is to convey a false sense of authority without being outright fraud. You have to wrap everything in vague but threatening insinuations-- "help us or you could face fines of up to a bazillion dollars, and/or you might go to JAIL."
The key words are fraudulently and by disguising as a trustworthy entity. If they clearly identify themselves as oracle, asking about virtualbox usage, then it's not phishing.
> They are literally fishing
You can "fish for info" in a hundred ways. Only a small subset of that is "phishing".
>If you don't think information that subjects an entity to massive legal liability is sensitive, then I really don't understand where you're coming from.
The employees were already subjecting their company to legal liability when they were using unlicensed software.
>The entire point of these emails is to bypass established channels by getting random employees to leak information. If they want licensing information, there's an IT point of contact for that. Or Contracts. Or Legal. They are literally fishing for information leakage that would give them grounds to sue.
So if I'm Oracle and I'm trying to find unlicensed enterprise users, what am I supposed to do? Call up their IT/legal department and hope that they'll investigate for me, and respond with a truthful response? Is Oracle not allowed to investigate on their own for licensing infractions? I feel like the only reason people are up in arms about this is because Oracle is doing it. If some startup was doing this to discover that some big corp was not paying their licensing fees, no one would blink an eye.
>They wouldn't. At this stage the point is to convey a false sense of authority without being outright fraud. You have to wrap everything in vague but threatening insinuations-- "help us or you could face fines of up to a bazillion dollars, and/or you might go to JAIL."
Sure, but cops do the same thing (if not more). I'm not saying either is okay, but both are not "phishing".
One is "Hi my name is XYZ at company ABC. Do you want to talk about our product DEF?" to which you instantly know it's a sales call and how to respond.
The other is specifically emailing employees asking about their use in order to build a case against their employer in the hopes of getting an enterprise agreement or lawsuit out of it. It's far more shady and the actual nature of the communication is not revealed until after the fact. For all the developer knows, it's just a support email from Oracle asking them about how they use their product.
"Hello my name is X I would like to sell you Y" is not phishing. It's not asking for any information. It's annoying, sure, but you know how to deal with it and they won't bother continuing when they know you're not interested (ie. by saying no)
"Hello my name is X, I work at Oracle, do you have a few minutes to talk about your use of VirtualBox" followed by asking questions about how you use it in order to build a case against your employer can be perceived as phishing. They are either outright not representing or misrepresenting the purpose of the conversation, and asking for information for purposes other than what you'd expect. It doesn't fit the exact definition in the dictionary, but it's close enough and uses the same sort of tactics that it can easily be considered another example of it.
The misrepresentation of the purpose is what brings it into phishing territory. By misrepresenting the purpose, you're also misrepresenting who you are and what your intentions are.
Something that's already phishing will still be phishing even if the purpose is misrepresented. Something that isn't otherwise phishing, however, can be made into something akin to phishing by misrepresenting the purpose.
Incorrect. It's not about purpose. It's about misrepresenting who you are. Oracle is saying they are Oracle. If Oracle is pretending to be someone else, than it's phishing.
What you are describing is not phishing. It's just regular old fishing.
Maybe this got lost halfway down this comment thread, but the whole point of this being considered phishing-like is that Oracle was emailing individual developers, asking questions about their use. The developers didn't realize so that Oracle can build a case against their employer and accidentally gave away details that Oracle would then use to pressure the employer to get licenses or would outright sue.
Developers likely thought they were speaking to Support, or responding to some kind of survey/questionnaire about their use cases and how they use VirtualBox, when in reality were being misled as to the actual purpose of the conversation.
Just because they were speaking to someone from Oracle as opposed to a third party scammer does not mean that the person they were speaking with didn't misrepresent/fake who they were.
Probably not the strict definition, but they are looking for information from employees they can use as leverage or in a lawsuit against the organization.
My last enterprise I worked at sent out an announcement that anyone with VirtualBox had to remove it.
What amazed me was when I first started there & asked if I could install it, most everyone was clueless what it even was. So Oracle had to have done some audit that found it, because I don't believe more than 1 or 2 other people would have been using it.
