The US exports variants of a lot of military hardware for sure, but it still keeps the cream of the crop tucked away, such as the F-22.
Don't think for a second the US military hasn't planned for having to wage war against a country that it's outfitted with it's own technology. Many exported items have reduced capabilities, and lack the communications systems that allow information sharing between all military assets. Information at the front line is what wins battles.
I disagree. I'm sure they have some cool toys, but they are not even in the same league in terms of overall military capability as the US. Their military is very specialized to deal with their specific circumstances. The US can conduct full-scale warfare anywhere around the globe, in the air, sea, on land, or in near-earth orbit.
I don't know of any public references, but I can confirm this is happening to government entities as well. Oracle is being extremely aggressive and mounting what is essentially a phishing campaign against organizations that it sees accessing the extension download page. They are e-mailing employees directly and asking them to contact Oracle.
>Oracle is being extremely aggressive and mounting what is essentially a phishing campaign against organizations that it sees accessing the extension download page. They are e-mailing employees directly and asking them to contact Oracle.
Spamming employees with officious emails and hoping one of them is dumb enough to respond with pertinent information that subverts them or their organization is the textbook definition of phishing. What does it mean to you?
>Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication
"using virtualbox" isn't sensitive information. I haven't read the emails, but I doubt Oracle is disguising themselves as the company's IT department or something.
If you don't think information that subjects an entity to massive legal liability is sensitive, then I really don't understand where you're coming from.
The entire point of these emails is to bypass established channels by getting random employees to leak information. If they want licensing information, there's an IT point of contact for that. Or Contracts. Or Legal. They are literally fishing for information leakage that would give them grounds to sue.
> I doubt Oracle is disguising themselves as the company's IT department or something.
They wouldn't. At this stage the point is to convey a false sense of authority without being outright fraud. You have to wrap everything in vague but threatening insinuations-- "help us or you could face fines of up to a bazillion dollars, and/or you might go to JAIL."
The key words are fraudulently and by disguising as a trustworthy entity. If they clearly identify themselves as oracle, asking about virtualbox usage, then it's not phishing.
> They are literally fishing
You can "fish for info" in a hundred ways. Only a small subset of that is "phishing".
>If you don't think information that subjects an entity to massive legal liability is sensitive, then I really don't understand where you're coming from.
The employees were already subjecting their company to legal liability when they were using unlicensed software.
>The entire point of these emails is to bypass established channels by getting random employees to leak information. If they want licensing information, there's an IT point of contact for that. Or Contracts. Or Legal. They are literally fishing for information leakage that would give them grounds to sue.
So if I'm Oracle and I'm trying to find unlicensed enterprise users, what am I supposed to do? Call up their IT/legal department and hope that they'll investigate for me, and respond with a truthful response? Is Oracle not allowed to investigate on their own for licensing infractions? I feel like the only reason people are up in arms about this is because Oracle is doing it. If some startup was doing this to discover that some big corp was not paying their licensing fees, no one would blink an eye.
>They wouldn't. At this stage the point is to convey a false sense of authority without being outright fraud. You have to wrap everything in vague but threatening insinuations-- "help us or you could face fines of up to a bazillion dollars, and/or you might go to JAIL."
Sure, but cops do the same thing (if not more). I'm not saying either is okay, but both are not "phishing".
One is "Hi my name is XYZ at company ABC. Do you want to talk about our product DEF?" to which you instantly know it's a sales call and how to respond.
The other is specifically emailing employees asking about their use in order to build a case against their employer in the hopes of getting an enterprise agreement or lawsuit out of it. It's far more shady and the actual nature of the communication is not revealed until after the fact. For all the developer knows, it's just a support email from Oracle asking them about how they use their product.
"Hello my name is X I would like to sell you Y" is not phishing. It's not asking for any information. It's annoying, sure, but you know how to deal with it and they won't bother continuing when they know you're not interested (ie. by saying no)
"Hello my name is X, I work at Oracle, do you have a few minutes to talk about your use of VirtualBox" followed by asking questions about how you use it in order to build a case against your employer can be perceived as phishing. They are either outright not representing or misrepresenting the purpose of the conversation, and asking for information for purposes other than what you'd expect. It doesn't fit the exact definition in the dictionary, but it's close enough and uses the same sort of tactics that it can easily be considered another example of it.
The misrepresentation of the purpose is what brings it into phishing territory. By misrepresenting the purpose, you're also misrepresenting who you are and what your intentions are.
Something that's already phishing will still be phishing even if the purpose is misrepresented. Something that isn't otherwise phishing, however, can be made into something akin to phishing by misrepresenting the purpose.
Incorrect. It's not about purpose. It's about misrepresenting who you are. Oracle is saying they are Oracle. If Oracle is pretending to be someone else, than it's phishing.
What you are describing is not phishing. It's just regular old fishing.
Maybe this got lost halfway down this comment thread, but the whole point of this being considered phishing-like is that Oracle was emailing individual developers, asking questions about their use. The developers didn't realize so that Oracle can build a case against their employer and accidentally gave away details that Oracle would then use to pressure the employer to get licenses or would outright sue.
Developers likely thought they were speaking to Support, or responding to some kind of survey/questionnaire about their use cases and how they use VirtualBox, when in reality were being misled as to the actual purpose of the conversation.
Just because they were speaking to someone from Oracle as opposed to a third party scammer does not mean that the person they were speaking with didn't misrepresent/fake who they were.
Probably not the strict definition, but they are looking for information from employees they can use as leverage or in a lawsuit against the organization.
