Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux-Based Phone System Phones Home

Posted by kdawson on from the hard-to-keep-secrets-when-they-can-read-the-code dept.

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

1 of 164 comments (clear)

  1. Re:eh? by arth1 · · Score: 5, Insightful

    So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

    What's the problem here?


    First of all, your claim isn't true. Here's what it currently sends back the output of:

    /usr/bin/perl /var/adm/bin/recognition.pl
    /bin/uname -r
    /bin/rpm -q -a
    /sbin/lspci -vn
    /usr/sbin/dmidecode
    /usr/sbin/wanrouter version
    /usr/sbin/wanrouter hwprobe verbose
    /usr/sbin/asterisk -V
    /bin/cat /etc/redhat-release
    /bin/cat /etc/trixbox/trixbox-version
    /bin/cat /etc/trixbox/.regData
    Note that it sends the registration data on every request. Which means the other data isn't anonymous.

    But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.