Is there a way a free piece of software downloaded off the Internet can cost your company potentially huge auditing fines? Oracle VirtualBox is one such seemingly benign application that can prove a major liability for your company. Oracle VirtualBox acts as the coordinator of virtual machines from multiple operating systems and can improve the performance of guest virtual machines. It is a free piece of Open Source software for anyone to download. At MetrixData 360, we have seen that Oracle is actually targeting companies with VirtualBox installed on their company desktops and in this article, we’re going to discuss why that is and what it could mean for your company.
A Quick Definition of ‘Copyleft’
In the software licensing world, there are two definitions of ‘free’. There is the regular definition of the word free, where you don’t have to pay for anything. Then there is open source software, which is also described as ‘free software’ or ‘Copyleft licensing’, a term which can be applied to VirtualBox’s General Public License version 2 (GPLv2). Open source means that you may or may not be asked to pay for the software, but once you have the software, you can crack it open and tinker with the source code. You’re allowed to learn from it, improve upon it, and you can even pull out pieces you like and use the code to make other things. It’s great for hobbyists who want to develop their coding skills, especially since doing this same thing to regular copyrighted software would send them straight into a copyright infringement lawsuit.
The only real rule when playing around with open source software is that you can’t make money off of the software codes, and if you give the software to someone else, then you have to allow them access to the source codes as well. For example, if I made a game out of open source code, I could share it with my friends or post it online for people to play so long as I supplied them with the open source library I used to make it and offered the game for free. While this can be great for some, things have the tendency to enter the grey area quickly when open source code enters the corporate realm. Even if you aren’t directly selling anything with open source codes, what technically constitutes as ‘making money’ from the software? That’s where things get sticky.
Problems with VirtualBox
VirtualBox is free in every sense of the word; you don’t have to pay for it, and you can play around with the code as much as you like, so what is the issue? Sadly, there are many issues that arise when your business decides to get VirtualBox.
VirtualBox’s Extension Pack
VirtualBox is broken down into three parts. The Basic Package, the Extension Pack, and the Guest Additions. The Basic Package and the Guest Additions are free, however, the Extension Pack that you can install just as easily to go with VirtualBox is distinctly not free. The Extension Pack is what you need to buy a license for.
Why Get The Extension Pack?
The Extension Pack is enticing for many reasons. Namely, it improves the performance of the VirtualBox and while the VirtualBox alone only supports USB 1.1 devices, the Extension Pack Supports USB 2.0 and 3.0 devices. If you have an issue with VirtualBox and you don’t have the Extension Pack, then you can consult the VirtualBox Community. This is basically a reddit-like board consisting of a collection of software enthusiasts who may just have the solution to the problem you’re facing. However, if you get the Extension Pack, then you are eligible for support, updates, and maintenance from Oracle.
Can the Extension Pack be Redistributed?
Unlike the rest of VirtualBox, the Extension Pack is subject to the Personal Use and Evaluation License (PUEL), which means that you can download the Extension Pack onto a single host computer for non-commercial purposes, which a company distinctly doesn’t fall under. Unlike with the GPLv2, which allows for redistribution, you can’t redistribute the Extension Pack without a special license from Oracle.
How Much Does the Extension Pack Cost?
The Extension Pack has two pricing models that you can pick between, as seen below and published on Oracle’s website:
It is important to note that if you chose to use the socket pricing model (a socket is what hosts a chip, which contains a collection of one or multiple cores), then you will need a license for all the hosts within a vCenter, which could expand throughout multiple data centers. This means that anything the VirtualBox touches needs to be licensed. In addition, any environments like Test/Development servers that interact with VirtualBox also need to be licensed. Failure to attend to these issues could easily translate to owing Oracle hundreds of thousands of dollars in required licenses, depending on the size of your infrastructure.
Does your company have VirtualBox installed on its desktops? If you have a discovery tool in place as a part of your Software Asset Management process, that’s probably where your thoughts are turning if you want to find the answer. However, at MetrixData 360, we are repeatedly finding that discovery tools that are available today are unable to detect the presence of VirtualBox on a device. Without that visibility, the only options you possess for monitoring the usage of VirtualBox is either checking the desktops manually (a gruelling process which leaves a very likely threat of human error), or we have suggested to many clients, simply put a company-wide block on the webpage where you can download VirtualBox.
The Foot in the Door for a Software Audit
While the presence of VirtualBox may be a blind spot to you, it certainly isn’t for Oracle. They are notified of every installation of VirtualBox and will be able to know which desktops in your company have VirtualBox. Even if your company is out of compliance when it comes to VirtualBox’s Extension Pack, your penalty may be somewhere shy of USD $1,000, which amounts to pennies for larger corporations. Since the fine is so small, it may lead companies to brush it off, but this small fine could easily lead to a bigger problem. Catching Oracle’s attention by being out of compliance with VirtualBox has resulted in many companies receiving a larger software audits from Oracle since they now have evidence to suggest the company’s software environment is not as organized as it ought to be. It’s best to tackle this small problem before it grows into a larger one.
So, How Do You Check Your Environment for VirtualBox?
If at this point you are wondering how exactly you figure out who already has VirtualBox on their desktops within your company, you can use the following instructions to manually check if a desktop has the Extension Pack.
For More Information About Oracle VirtualBox
We have found that incidents of shadow IT within an organization are an unfortunately common occurrence that can create security problems, costly app sprawls, and as we saw in the case of VirtualBox, compliance issues. In order to avoid this, it is important to implement a strong software asset management process that can regulate the installation of software. If you would like to know more about the general benefits of software asset management, you can check out our article, Software Asset Management: Its Importance, Purpose, and How it Saves Money.