Hello, I try to keep my Debian laptop as private as possible, but for work, I need to use Windows software, so I run a VirtualBox with Windows 11. My PC runs smoothly without any issues, but I need to access my specific hardware USB ports, and it doesn’t recognize them. I read that I need to install the Extension Pack, so I downloaded it, but before installing it, I get a warning message that seems to suggest I’m accepting some risk to my computer. I don’t really understand this stuff, so I wanted to ask the following:
Is there any security or privacy risk associated with the VirtualBox Extension Pack?
Is there any other way to access my USB-C devices without installing it? (I’ve already tried selecting USB 2.0 and 3.0, but the list shows “no device available”).
Thank you very much to whoever responds.
PS: Also I found this on the Internet: “The user agreement VirtualBox extension pack states of sharing a user’s data to the US govt. including the hardware information and so on. Does it make sense even if I use Tails/Whonix for anonymity?” :-/
No USB passthrough in VirtualBox without the extension pack. And unless you have a paid version it is a license violation to use the extension pack in a commercial setting. Take that with a grain of salt: it’s from the top of my head and it has been a while (years) since I touched VirtualBox. Since you are concerned about privacy, I’d suggest not touching closed proprietary software, like VirtualBox, at all whenever possible. Luckily, for virtualization in linux, that is perfectly possible. What you will want to look at is kvm/qemu. And maybe a handy UI to that like (qt-) virt-manager or gnome Boxes.
Virtualbox is libre. However, virt-manager is still better
The extension pack isn’t though: it’s closed source and only free for evaluation, personal use, and educational purposes.
Why are you using VirtualBox for this anyway?
KVM/QEMU + Virt-manager all the way.
Removed by mod
How do you migrate a Windows VM to virt-manager (without any risk of invalidating the license)?
Do whatever you want, then use MAS to activate Windows again :)
That’s a great question. Mostly it’d be a matter of exporting and then importing / converting the disk image and standing up similar VM “hardware”.
You might still need to reactivate the licence; I’m not sure if the virtual hardware move will trip activation.
Read about Oracle actively investigating user if there is a business usecase and charging insane amounts of money.
It’s oracle. I wouldn’t trust their software on my PC. Use qemu or something instead.
At the company I work at we needed to use USB 3.0 devices for which you need the extension pack (Windows hosts, Ubuntu VM).
For commercial use you need a licence to use the extension pack, so I don’t know how Oracle knew of the abuse of some employees but our company received a communication reminding about the licence rule.
the thing must phone home to check license status, and they were able to match your systems to the same entity via ip or network or something. but with a minimum buy of 100, i’d tell 'em to fuck off if the total seats using the pack was less than that, regardless of commercial/personal use status.
As a consumer, it’s fine. Not like anyone bothers to audit and compare the KVM VirtIO drivers every week to protect against malware. It phones hone to check activation status and such, but that’s just commercial software doing its thing. Running Windows is much worse for your privacy than a license check for Oracle’s extensions.
The age old comparison between Oracle and a lawnmower still comes to mind. The lawnmower doesn’t have I’ll will against you, or does it favour you. The lawnmower cuts grass. If you’re in the way, it will hurt you or because it has any desire to, but simply because that’s what it does. Don’t get in the lawnmower’s way and you can enjoy the smell of freshly cut grass on your lawn.
If you’re a business or professional, avoid Oracle. Oracle is a bunch of lawyers that have an IT side hustle. They give away their shiny toys for free in the hope you convince your boss to give it a spin, and that’s when they pounce with their elaborate licensing schemes. Paying Oracle is a liability, but use their stuff as much as you like.
Running privacy distros in a VM is always a little questionable. You’re risking submitting deanonimising data by sending background traffic from the host machine. Half committing to privacy tools is exactly how people get found.
If you’re looking for VirtualBox alternatives, virt-manager combined with KVM (or Xen, or another supported API) works quite well. USB forwards and PCIe forwards work fine and because Red Hat (IBM) is behind it, the licensing risks are a lot lower. You can use command line tools to convert VirtualBox images to libvirt images too.
If you want to take things even further, look into Cassowary. It leverages RDP’s ability to only forward a single remote application. It will add select Windows programs to your Linux application menu and auto start/stop the Windows VM on demand. There’s some setup that you need to do to make it work right, but once it’s running it works very well in my experience.
Running unauditable code is always a risk.
Consider an alternative to virtualbox, like QEMU/KVM with virt-manager.