Oracle recently started hunting our company for licenses due to the fact that the VB guest additions software phones home. Fail on us for not considering the license on the guest additions outside of the VirtualBox software.
Every now and then I think my company is paranoid for having a blanket policy of never using a single thing from Oracle (even to extent of rejecting anything using BerkeleyDB, and only using OpenJDK) then I see things like this and it makes sense.
I wonder when Oracle poisoned this well (Fortune 100).
Ive been recommending that same thing for a while. Microsoft, too, if you can get away with it. It's why I won't build stuff on .NET and Java. They were already big on patent suits, BS licensing, and Business Software Alliance looking for snitches. Then, Oracle went for API's are under copyright ruling. Then, I definitely wasn't gonna touch Oracle software.
Apparently they track it by downloads. My previous employer (a 25k employee healthcare system) had IP addresses in their logs a dozen times. Rather than telling Oracle to go f&*$ themselves (or at least pointing out that the organization has guest networks used by thousands of people), they rolled over and paid the $40,000 invoice—and threatened to take away the ability for their in-house software developers to download their own software.
Are you sure you mean "Guest additions". Guest additions is GPL licensed however the "VirtualBox Extension Pack" requires a paid for license to use commercially. And since Oracle make it very clear what licenses are needed [1] they are well within their rights to hunt down your company for revenue which is due.
By the way, this is a relatively recent change made in July 2017 (License version 10). Before that there was no "noncommercial" restriction, and the free license allowed commercial use as long as you installed it yourself (i.e. not deployed company-wide etc.).
> Personal use is when you install the product on one or more PCs yourself and you make use of it (or even your friend, sister and grandmother). It doesn't matter whether you just use it for fun or run your multi-million euro business with it. Also, if you install it on your work PC at some large company, this is still personal use. However, if you are an administrator and want to deploy it to the 500 desktops in your company, this would no longer qualify as personal use.
Wow that FAQ and license is confusing. They define personal use as:
> use solely by the person downloading the Product from Oracle on a single Host Computer, provided that no more than one client or remote computer is connected to that Host Computer and that client or remote computer is used solely to remotely view the Guest Computers.
This isn't a standard definition for "Personal Use" and I can now understand why people weren't happy.
I think it’s a pretty normal definition of Personal Use, that was necessarily screwed up by the fact that many tenants of a system can use a hypervisor installed on one machine. So, even if you’ve installed that software for personal use, you can’t be letting all your friends in the office SSH in and use it under your same license.
Nice. We're currently using the free VMware player for educational purposes (non-profit) and got a call from some VMware sales rep recently. Which is funny because some years ago we tried to get a statement from them about our kind of usage and after bouncing around nobody could give us a definitive answer.
However, our guy handling the call just mentioned that we're considering switching to VirtualBox anyways, and didn't hear back since. I think VBox actually has a clause about educational use in their EULA.
> VMware Workstation Player is free for personal non-commercial use (business and non profit use is considered commercial use). If you would like to learn about virtual machines or use them at home you are welcome to use VMware Workstation Player for free. Students and faculty of accredited educational institutions can use VMware Workstation Player for free if they are members of the VMware Academic Program <http://kb.vmware.com/kb/1033638>.
I guess while we are on the topic of licenses; how crazy is it requiring users to obtain their own Oracle JDBC driver in 2018? Why won't Oracle just let us distribute software ready to connect to their database?!
Why would you throw away Vagrant together with VirtualBox?!
You can also use vagrant with a libvirt/KVM backend (on linux).
Sometimes the box is not available in libvirt format. But that issue can be worked around converting them
Even Debian Stable (9.x, at this point) can install kvm and virt-manager and just run at this point. I have one VB installation that came in under the license smackdown a couple of year ago that I need to migrate. There is no point in using virtualization software the current owners don't want you to run.
Personally, I consider it beneficial, as I'd want my games and software (that hasn't been ported to my OS of choice, but I still trust) to run as fast as possible. Not fully sandboxed != "harmful" to everyone.
Maybe "VirtualBox 3D acceleration not fully sandboxed" would be a more accurate, less sensationalist title?
Took me ages to figure out it was virtual box that was the issue, not gnome or vscode. A shame, I liked my VM in Windows set up. Now I had to suffer through installing Ubuntu natively on a gen3 Thinkpad x1 yoga which has been a new class of nightmare thanks to Lenovo nuking critical sleep functionality:https://forums.lenovo.com/t5/Linux-Discussion/X1-Carbon-Gen-...
Getting my tools just like I like them always has such an exhausting spin-up time.
I ask this in sincerity; in Linux land, what is a good alternative to VirtualBox? Are there any that can do proper 3D acceleration to play games at a reasonable speed?
On linux you could try QEMU/KVM with GPU passthrough - install virtmanager for GUI. Easy with a desktop, difficult to do, but possible on Optimus laptops with - so you need the right kind of integrated and dedicated GPU there - see this guide https://gist.github.com/Misairu-G/616f7b2756c488148b7309addc.... Easy, but expensive route for a laptop, on a more modern laptop, would be to attach a eGPU enclosure via thunderbolt and share/passthrough that to your VM.
If you are considering doing your VM's on a server then it's worth a look at Unraid too - it uses QEMU/KVM under the hood but has some other advantages too.
Edit: you are likely to lose a little GPU 2-3% due to vm overhead, but GPU passthrough is as close to native as you are going to get. I've happily run a high end VR headset via a Windows VM running on Unraid in the past.
Running a Ubuntu Host with KVM, passing through an NVIDIA 970 to a Windows host. Yea...the GPU performance was fast, but everything else was so slow compared to running native. I think my biggest issue was with disk R/W, especially when memory pressure went up from the VM the system bogged down to a halt. After that, my biggest problems were with the fact that after the Windows host turned off, the GPU was stuck in the weird state where you can't reset it ( I know its a feature™ from Nvidia) and the Keyboard / Mouse would flake since I would attach the whole USB root to the VM as well.
In the end just decided to install back Windows and not have to deal with it.
Typically I do use Wine+PlayOnLinux, but I have a specific old game I want to play (Facade), that is incredibly picky to get working on any computer, let alone through some semi-emulation like Wine.
That's the one, though even in the writeup they mention that you can't get very far into the game with it. It's too bad; it's like an interactive version of "Who's Afraid of Virginia Woolf".
Wine definitely is better for older games 99% of the time, this one is just something that was incredibly picky even when it was new. I've bothered them to ask if they'd open source it or let me port it with me signing an NDA, but they haven't responded.
Those results are very old, so you can try again since things are likely much better now. And if it still fails, you can open some bugs to help fixing it. However if the game itself is very buggy, it might be not Wine's fault it's not working.
The big problem I have with wine is not the compatibility. It's the missing libraries. Steam handles this perfectly fine but the vast majority of games I have tried outside of steam crashed right away because of some missing library.
I've typically had pretty good luck with GOG, and actually nearly any older game has worked nearly flawlessly for me with Wine. Generally, these games actually work better on Linux than they do trying to shoehorn into modern Windows.
> The big problem I have with wine is not the compatibility. It's the missing libraries.
What kind of libraries? I never had a problem with Wine dependencies in Debian, even when installing WineHQ packages. It just pulls them from the repo.
You did read the article, right ? It stated that the real problem is in the OpenGL graphics driver, and that the only thing "wrong" with VirtualBox is not properly "firewalling"/sanity checking what is passed into it (and the OpenGL driver itself for not properly checking what is passed into the hardware, which can read all memory).
So there's very little point in switching software, assuming you play games with the virtualized system. QEMU ought to be as vulnerable as VirtualBox/VMWare to this problem.
And sure, they could fix this issue by checking this one pointer. But there's going to be 50 more where this problem came from, and they haven't even mentioned bounds checks.
> QEMU ought to be as vulnerable as VirtualBox/VMWare to this problem.
In the GPU passhthrough scenario, the host OS GPU drivers are not involved, and this exact problem won't occur.
But it's another question how well the GPU is isolated from the host system using mechanisms like IOMMU. To shield against attacks like manipulating host memory from code running on the GPU.
Two projects to watch out for: 1) The Gvt-g stuff from Intel 2) Crostini on chromebooks. Both are in development, but may eventually enable a wide variety of use cases out of the box.
> However, to enable this impressive breakthrough in online technology, web browsers (currently Chrome and Firefox) have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages, thus creating a number of potential security vulnerabilities.
your post is FUD. that issus was solved immediately and the actually bug listed had nothing special to do with graphics and is just a bug like a bug in javascripy or the browser in general. a bug that was fixed. If you're going to off WebGL based on that bug then you'd better turn off your entire browser
Chrome itself doesn't have these issues. In particular it doesn't support features that would raise these kinds of issues. For one it's not supporting all of desktop opengl it's only supporting the subset that needed for WebGL. All of if is massively validated , shaders are rewritten, bound checked, memory cleared, clamps added, etc...
> One could argue that technically this component might not be considered attack surface in VirtualBox, due to the big warning put out in the documentation recommending against its use ...
The current situation seems perfectly fine to me. In reality, lots of people are using VirtualBox for completely trusted virtual machines so why not allow 3D acceleration for that use case?
I would have thought that vms allow the system to reset back to a known clean state, so you can freely allow it to perform malicious actions such as installing unknown wares.
If u do not need 3D, I strongly suggest moving to lxd. Using in kernel security and it is very light. Couple it to zfs and it runs 100 containers for a measily 15 GB RAM.
In kernel insecurity you mean. Lxd escape is trivial, might not use a container anyway if security is the goal.
Xen with driver domains and (only just started) similar support in KVM is about the kit reasonable thing from security point of view. Maybe VMware but that cannot be studied.
The only valid safety model is airgapped computers, stripped of any networking equipment, fed data only using dedicated thumbdrives coming from another computer running a different OS
Considering all of the issues with usb, you'd be better off using floppy disks or optical drives for data transfer to this hypothetical 'secure' system.
> VM are a problem waiting to happen.
Something something security threat model and personal risk tolerance...
RS232 would probably be usable and convenient for said hypothetical setup as well. Don't run PPP or anything; manually initiate transfers on both sides.
Of course. But the baseline stack of hardware and software for RS232 is (or at least can be) significantly simpler. USB and Ethernet are nightmares by comparison, and that's before considering the additional protocols that invariably sit between those low-level transports and your application.
For a project idea I've been considering how to attach a sensitive (but powerful) machine to the network with the smallest possible interface (in terms of code exposure). RS232 is probably the simplest yet still functional without getting into niche hardware standards.
On balance I think USB might be worse than Ethernet[2] or even Ethernet+TCP/IP just because typical network stacks have probably seen more scrutiny than USB stacks. But at the end of the day I know I'm going to want to use something like seL4 to protect the application from the transport stack(s). And even then you still have to worry about the hardware. There's a real dilemma in choosing the simplest hardware that is still viable in terms of performance, support (including ease of porting or writing drivers), and long-term availability.
[1] Assuming a simple ethernet controller with all the fancy features disabled or, ideally, not even present.
The problem of optical drives is the size limit and the time to make them.
They can contain malicious code just as well as a thumbdrive. The concern with USB is the firmware, and the thumbdrive pretending to be a HID device or having an extra partition with malicious code.
Purchasing many similar drives of a well known brand in a random supermarket is a reasonable alternative.
Just keep them for 1 year before using them, in case an exploit becomes popular - but this is extremely paranoid.
> They can contain malicious code just as well as a thumbdrive
Of course.
> The concern with USB is the firmware, and the thumbdrive pretending to be a HID device or having an extra partition with malicious code.
Right, that's the concern I was alluding to above. You'd still be better off burning optical media (and disabling any autoplay crap on the target system). You can still store severl GB of data on optical media.
> Just keep them for 1 year before using them, in case an exploit becomes popular - but this is extremely paranoid.
This may work if you only stick with very popular makes/models, since they would have a higher chance of being 'noticed' for doing something wrong.
> This may work if you only stick with very popular makes/models, since they would have a higher chance of being 'noticed' for doing something wrong
Security is in the spotlight, not in the shadows
Prefer tools that everyone else uses, unless you have a very compelling reason not to (windows: too many 0 days, complexity, and surface of attack ; wifi: too easy to start a rogue network)
Because when these popular tools get hacked, you will know it. I keep an eye on rogue firmware. I have not seen a real world threat yet, but I do expect spear fishing attacks for people involved in crypto (fortunately, not for us just writing software)
Employees can be a threat, yes. Ideally, the ports to connect data should be non standard - or just glued shut. Or have no employee!
The problem with stuxnet was that non dedicated thumbdrive brought in the worm. Also their equipment was networked. Bad idea. If data must be exchanged, use unidirectional links. Good old serial ports, with only TX or RX wired (Edit: I do not think centrifuges need a full ethernet stack. Depending on high level abstractions like TCP/IP for simple operations comes at a cost)
My model is not perfect safety, but if it take something the scale of stuxnet to attack, I feel safe enough.
I laughed when the recent spectre and meltdown exploits were revealed, because the good old airgap model meant I did not have to care.
Oracle recently started hunting our company for licenses due to the fact that the VB guest additions software phones home. Fail on us for not considering the license on the guest additions outside of the VirtualBox software.
Bye bye Vagrant! Time for a new workflow!