Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux-Based Phone System Phones Home

Posted by kdawson on from the hard-to-keep-secrets-when-they-can-read-the-code dept.

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

8 of 164 comments (clear)

  1. eh? by LingNoi · · Score: 3, Insightful

    So what does it actually do? Let me explain. We are only looking at the number of phones (and types) that are connected to a system.
    So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

    What's the problem here?
    1. Re:eh? by arth1 · · Score: 5, Insightful

      So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

      What's the problem here?


      First of all, your claim isn't true. Here's what it currently sends back the output of:

      /usr/bin/perl /var/adm/bin/recognition.pl
      /bin/uname -r
      /bin/rpm -q -a
      /sbin/lspci -vn
      /usr/sbin/dmidecode
      /usr/sbin/wanrouter version
      /usr/sbin/wanrouter hwprobe verbose
      /usr/sbin/asterisk -V
      /bin/cat /etc/redhat-release
      /bin/cat /etc/trixbox/trixbox-version
      /bin/cat /etc/trixbox/.regData
      Note that it sends the registration data on every request. Which means the other data isn't anonymous.

      But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.

  2. Re:Stats are useful by ScrewMaster · · Score: 4, Insightful

    Nah ... it's just that people don't bother to read what's in front of them. Had there been a big blurb during the software install that proclaimed "we collect anonymous usage statistics" nobody would have cared, but because it wasn't made sufficiently obvious people think there's something devious going on.

    --
    The higher the technology, the sharper that two-edged sword.
  3. Re:So? by syousef · · Score: 3, Insightful

    The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling. ...because of course you have read every word of every screen of every version of every installer you've ever used, and never just glossed over any detail. What's baffling is that comments like this get modded up.

    --
    These posts express my own personal views, not those of my employer
  4. Make your own Linux-based PBX system by compumike · · Score: 4, Insightful

    We did it ourselves and saved >$100/month for a small business. Just use Asterisk (free and open source), buy some inexpensive but full-featured phones like the Grandstream GXP-2000 (about $80 each), and get a termination provider like VoicePulse Connect for Asterisk ($11/month for four simultaneous channels, free incoming, and below $0.01/min for most outgoing). It took some work to get it all set up and working properly, but now is actually more reliable than the analog phones ever were. (We had phone company issues every few months... just awful.)

    --
    Educational microcontroller kits for the digital generation.

  5. Re:So? by insertwackynamehere · · Score: 3, Insightful

    If it really bothers you this much when usage stats are collected, then you can't really gloss over things like the TOS and EULA... you can't have it both ways.

  6. Um by Gordo_1 · · Score: 3, Insightful

    Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect? I mean, these guys bill you for every call you make, know exactly who you're calling and for how long, have been known to allow just about anyone in law enforcement to wiretap your line for even the flimsiest premise, yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?

    1. Re:Um by Minupla · · Score: 3, Insightful

      Hrm, last time I checked, my phone company was unable to open a tunnel from the internal side of my corporate firewall back to them. Since the script allows them to execute *any* command and most people put their PBX inside their most secure corporate network segment, this would prove to be an issue. Leaving beside for the moment the issues of DNS poisoning, and someone hijacking the script.

      Min.

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before