Slashdot Mirror
Linux-Based Phone System Phones Home
An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.
I am with Linus on this one.
His position is very clear and makes a lot of sense.
Donate to Ron Paul today. 3.5 hours left.
...phone home!
Obligatory blog plug: http://www.caseybanner.ca/
A product named Trixbox is really a box of tricks...
The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling.
// -- http://www.BRAD-X.com/ --
Anyone know what "steathy" means?
Tomato wedge sperm darts that are Republican.
now that Linux is becoming more popular i knew spyware and other malware will start encroaching in...
the countdown to my switch to FreeBSD started today,,,
Politics is Treachery, Religion is Brainwashing
What's the problem here?
The issue here is not just the fact that it is phoning home - it is the method in which it is done. This has been reported as a security vulnerability to the voipsec mailing list. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html
So what if anonymous stats are collected?
Engineering is the art of compromise.
From the title, my initial thought was...
Wow, they got one number working,
can't wait till they get the rest of them going too!
From the forum:
The point is that people should have been given a means to easily opt-out of the data collection process which is something we totally overlooked and in seeing the reaction we realize that this was a big mistake on our part. While it is pretty trivial for anyone with basic linux knowledge to disable it, the issue is that a) we didnt inform people well and b) we didn't make it easy to turn off. We thank you for your support on this but anytime there is a more than a few people complaining about something it means we missed the mark on it. So, as a team and a company we fix it and learn from it. -- Kerry Garrison trixbox Community DirectorAnd I'm somewhat annoyed by KerryG's assertion that "Both trixbox and FreePBX have phone-home mechanisms in them." Now, admittedly, I relinquished FreePBX at the beginning of this year due to personal commitments, but I have ALWAYS been dead against 'phone home' information. We DID have a rough idea of how many machines were actively being maintained by the 'hits' on the modules.xml file that contains the current version of all the modules and download links for it. That's it.
The only other slightly information-divulging bit of information was the built-in IRC client did a 'uname -n' and specified what distro the client was running. It broadcast that in a 'notice' to the FreePBX channel. This was highlighted on the IRC page, with exactly what would be sent.
FreePBX has NEVER 'phoned home'. I would be amazingly upset if it was doing so now. Trixbox, on the other hand, may do that, but please do NOT link the FreePBX project with it.
--Rob
Schlock Mercenary.
Trix are for kids.
Hello,
Consulting for several large companies, I'd always done my work on
Windows. Recently however, a top online investment firm asked us to do
some work using Linux. The concept of having access to source code was
very appealing to us, as we'd be able to modify the kernel to meet our
exacting standards which we're unable to do with Microsoft's products.
Although we met several technical challenges along the way
(specifically, Linux's lack of Token Ring support and the fact that we
were unable to defrag its ext2 file system), all in all the process
went smoothly. Everyone was very pleased with Linux, and we were
considering using it for a great deal of future internal projects.
So you can imagine our suprise when we were informed by a lawyer that
we would be required to publish our source code for others to use. It
was brought to our attention that Linux is copyrighted under something
called the GPL, or the Gnu Protective License. Part of this license
states that any changes to the kernel are to be made freely available.
Unfortunately for us, this meant that the great deal of time and money
we spent "touching up" Linux to work for this investment firm would
now be available at no cost to our competitors.
Furthermore, after reviewing this GPL our lawyers advised us that any
products compiled with GPL'ed tools - such as gcc - would also have to
its source code released. This was simply unacceptable.
Although we had planned for no one outside of this company to ever
use, let alone see the source code, we were now put in a difficult
position. We could either give away our hard work, or come up with
another solution. Although it was tought to do, there really was no
option: We had to rewrite the code, from scratch, for Windows 2000.
I think the biggest thing keeping Linux from being truly competitive
with Microsoft is this GPL. Its draconian requirements virtually
guarentee that no business will ever be able to use it. After my
experience with Linux, I won't be recommending it to any of my
associates. I may reconsider if Linux switches its license to
something a little more fair, such as Microsoft's "Shared Source".
Until then its attempts to socialize the software market will insure
it remains only a bit player.
Thank you for your time.
what a surprise? now the corepiate nazi FUDgepackers (robbIE's income) can blame linus when their phone is tapped, &/or the FraUDuleNT stock markup goes pottIE? phewww
the creators will prevail. as it has always been.
corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7
as there are no benefits, just more&more death/debt & disruption.
fortunately there's an 'army' of light bringers, coming yOUR way
do not be afraid/dismayed, it is the way it was meant to be.
the little ones/innocents must/will be protected.
after the big flash, ALL of yOUR imaginary 'borders' may blur a bit?
for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available.
beware the illusionary smoke&mirrors.con
all is not lost/forgotten.
no need to fret (unless you're associated/joined at the hype with, unprecedented evile), it's all just a part of the creators' wwwildly popular, newclear powered, planet/population rescue initiative/mandate.
or, is it (literally) ground hog (as in dead ment) day, again? many of US are obviously not interested in/aware of how we appear (which is whoreabull) from the other side of the 'lens', or even from across the oceans.
vote with (what's left in) yOUR wallet. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable.
some of US should consider ourselves very fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate.
it's right in the manual, 'world without end', etc....
as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis.
concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order.
'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.
consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?
This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results. Sure hope their server is up to date on patches. That assumes DNS sent back the right server to begin with and not a spoofed site with a "different" set of commands.
In what universe does this seem like a good idea?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
We did it ourselves and saved >$100/month for a small business. Just use Asterisk (free and open source), buy some inexpensive but full-featured phones like the Grandstream GXP-2000 (about $80 each), and get a termination provider like VoicePulse Connect for Asterisk ($11/month for four simultaneous channels, free incoming, and below $0.01/min for most outgoing). It took some work to get it all set up and working properly, but now is actually more reliable than the analog phones ever were. (We had phone company issues every few months... just awful.)
--
Educational microcontroller kits for the digital generation.
It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting.
i love how the slashfucks play this down. if this was ms we'd see endless posts modded +5 saying the same thing over and over
THIS FEATURE SHOULD BE OFF BY DEFAULT. NO DEFAULT SHOULD EVER REPORT BACK EVAH!!!!ONEONE!!!
i love how you fags suck on the nutsack of linux so hard that you don't care when they beat you around with their dick. bunch of fucking hypocrites.
You Linux people obviously are never satisfied with anything. How many times do we hear you all bitch about the MS monopoly? Well finally something comes along to oppose that, and you bitch?!?!? Talk about looking a gift horse in the mouth.
STOP BITCHING!!!! Stuff like this makes me dislike Linux, and tends to make me want MS to win.
The moral: if you want Linux to beat MS, stop bitching at anything Linux. EVER.
"I just can't complain about free software."
Damn! There goes all the FreeBSD battles.
"We did it ourselves and saved >$100/month for a small business."
Oh look! Another Geico commercial.
I've used skype for a solid year with only a couple days of outages. I found changing my number every three months eliminates this problem.
What happened to cities with free wireless?
The system made over 5 million calls to the owner of this apartment
...to the company christmas party...
REJECTED!
I'm going to ask her out again, greg, just watch. And I'll get my whopping $32 for the MMIC.
I saw "phoning" and I wondered "what connection does that have to phreaking or phishing?"
Kerry has already addressed this in his blog:
http://www.trixbox.org/trixboxs-new-hardware-audting-tool
No one reads those things, and no one is intended to. If they were intended to convey information, rather than obscure it, they would be no longer than a paragraph and in plain English.
Ok, points for admitting the problem and for taking some corrective action. But opt-out? Why not fix it completely and have it opt-in? It's what people hope for or demand for many things. They might not expect or get it, but it is what is desired.
All opt-out does (for anything, not just this) is tell me I'd *REALLY* want to turn it off, because someone figures the only way to get it switched on is to have it on by default and at least some will miss it or fear changing any default settings.
I don't subscribe to RMS's GNUtopian vision.
An interesting position to take on a forum who's development mantra is "a thousand eyes makes bugs shallow".
It is part of my job to be aware of EULAs and other licensing in the solutions I propose to my clients. For some reason software companies keep their EULAs concise and to the point, as they'd rather not have anyone violate it.
...............
...............
Let's look at an excerpt from an MS EULA:
i.Distribution Restrictions. You may not
alter any copyright, trademark or patent notice in the Distributable Code;
use Microsoft's trademarks in your programs' names or in a way that suggests your programs come from or are endorsed by Microsoft;
distribute Distributable Code to run on a platform other than the Windows platform;
include Distributable Code in malicious, deceptive or unlawful programs;
or modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License.
An Excluded License is one that requires, as a condition of use, modification or distribution, that
the code be disclosed or distributed in source code form;
or others have the right to modify it.
That is not and should not be too complicated for an educated sixteen year old to understand; if one can read and discuss Shakespeare or Melville, one can read and discuss that EULA.
"The whole story": this is not news and was actually publicized a long time ago, before it was actually put into use, however, several overly paranoid, overly dramatic people were only just made aware that it was happening, and all of a sudden it has become:
"my phone system is transmitting my credit card number to a multi-million dollar commercial entity who is only interested in robbing all the people who use its FREE software solution, because this established entity doesnt make any money on their commercial product that is $400-500 per port, which has thousands of installations world wide."
unfortunately they were lax in their notification of statistic gathering and did not place a 10 page EULA on the installer that users never read anyways.
FYI - the system collects hardware stats, such as what brand trunk card you use, which phones, and which server architecture, it does not transmit any actual usage stats, which would still be completely harmless. They then use these stats to get capital from the manufacturers of the hardware that these stats report on, which is used to fund development of this wonderful FREE PBX. This reporting is pretty close to plain site, and can be disabled, just the same as Automatic Updates on a Windows PC.
The concerning part, yes it calls for some code at the fonality data center - again - you can turn it off. If you are that much of a security geek, you should know how to use cron, or stay away from linux servers, chances are you will leave a whole open on something a lot more important then a phone system - would hate to think of how many people have leaked credit cards from shopping carts. the REALLY concerning part - this hole is being talked about on security forums like this.
Really if they dont like that, no one has forced them to use this FREE software, and they have paid no money out to expect anything more (although they should). Fonality now has a full Opt-in disclaimer so that people like this can know that their phone system could be sending vital information about which handset they use before they start.
Signed,
Someone who supports the development of FREE open source software.
Had this been a Microsoft product everyone would be screaming about privacy violations and the evil of corporations.
MS = root of all evil
FOSS = root of all things wonderful, bright, colorful, and jellybeanish
The developers collect the information, and then sell it to advertisers to make a quick, easy buck off of their users.
Apparently selling a commercial version of their software doesn't give them enough money, they have to covertly do this as well.
The key mistake they made here is that they made it opt-out and difficult for an inexperienced user to opt-out.
The correct move would have been to provide a separate page during the install that said in big bold letters,
"WOULD YOU LIKE TO SUBMIT YOUR USAGE, HARDWARE, SYSTEM, AND INSTALLATION STATISTICS REGULARLY TO US FOR OUR FINANCIAL GAIN TO HELP SUPPORT THE PROJECT",
with the default obviously being "NO".
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect? I mean, these guys bill you for every call you make, know exactly who you're calling and for how long, have been known to allow just about anyone in law enforcement to wiretap your line for even the flimsiest premise, yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?
!spelling...
Also it would be good form to expand an acronym just once in the summary. Private Branch Xtreme?
(I'm expecting answers with "google" and "wikipedia" and "can't you" in them; but I'm talking about good form and politeness toward audience. I'm a specialist in a fairly narrow field and I wouldn't cavalierly/arrogantly throw our TLAs at a large diverse audience. Yes, I didn't know "PBX", my work doesn't remotely touch telecom.)
It is part of my job to be aware of EULAs and other licensing in the solutions I propose to my clients. For some reason software companies keep their EULAs concise and to the point, as they'd rather not have anyone violate it
You must have a very different definition of the word concise.
You take a very small excerpt from a random MS EULA and point out that it can be understood. So what. Quote the other 20 pages and see how reasonable it is. But that sounds like an exaggeration so let me produce something solid to counter your nonsense claim that EULAs are short.
Since you picked a EULA let me point you to:
http://www.microsoft.com/about/legal/useterms/default.aspx
- The Microsoft Word 2007 EULA is 19 pages in Acrobat format.
- Vista has a combined EULA for Home Basic, Home Premium and Ultimate. It is 14 pages long.
So if you buy a computer and with a word processor you're expected to digest 30-35 pages. Add a handful of other programs (heck add office) and soon you're into over a hundred pages. By the time you have a usable system for a power user you're probably somewhere around 500-1000 pages. So come on, be honest, even if you reject what I say (and I don't think it's an even slight exaggeration), even if it's only a couple of hundred pages, name me 5 people you know that read that many pages before touching their software! Be honest, and don't include people who are paid to do little other than evaluate software, or manage large installations.
It's getting worse too. The XP Pro EULA was just over 5 pages long.
Hey it's not just Microsoft, though they're becoming particularly bad offenders. Even the GNU Public Licenses take some time to understand fully, and even then there are debates about meaning. Heck I could spend all night adding up the pages for each EULA on the machine I'm using to prove my point conclusively, but I don't have any intention of wasting that time. You know I'm right.
EULAs are often long.
EULAS are often vague.
EULAs often include onerous or questionable restrictions
http://www.eulahallofshame.com/yahoo-tos.html
EULAs often can't be rejected as publishers and distributors refuse or make it very difficult to take it back once the shrink wrap is broken (because assuming everyone is dishonest and will infringe on copyright is acceptable). So why bother reading something when you've already made the choice to buy the software?
This is not a reasonable way for things to be, and if you honestly expect people to be reading these, you're quite plainly gibbering mad.
These posts express my own personal views, not those of my employer
If this were Microsoft or BLizzard you guys would be raising holy h3ll.
but since it's an "open source" tool it's
* not that big of a deal
* Shoulda been obvious to you n00b
* Duh Read the EULA
Hypocrites all
Gadget News at Gizmo.com
no, really.
This doesn't suprise me in the least.
It's another example of why Linux needs something like the functionality that Zone Alarm provides whereby an interactive user is always prompted before a program is allowed to connect to the internet. I for one do not want any program whatsoever to be able to connect to the outside world before I have expressly given my permission.
Give the way companies like Sony & Microsoft have behaved in the past vis a vis "phoning home" & rootkits etc. I no trust any program that tries to connect to the net.
There are starting to be far too many programs on Linux that do things like report statistics, go off to fetch cover art from Amazon etc. etc. Sorry but I am not going to blindly allow people to collect data on me or monitor my internet usage etc. etc. I actually value my privacy.
On which subject I'd also like to see the major desktop oriented distributions adopt a "nothing connects by default" standard for any desktop app they include in the distribution. Before a program can go to the internet the user should have to specifically say it can.
For a desktop user something like Zone Alarms would be ideal. First time an app tries to connect to the internet you're asked whether it can. You can then allow it permanently or temporarily or you can ban it permanently or temporarily. This might make it a slight pain to initially set up your desktop but I'd rather this than Joe Random Programmer being able to start pulling back stuff off my machine without permission.
This issue needs seriouly addressing by the Linux community now before we get something like a Sony rootkit fiasco.
And why yes I am paranoid, and history will prove the likes of me right (again).
Sky subscribers are morons. They pay to be advertised at !
Okay, I'm not going to say this isn't a big deal, because it obviously is, but really- it's pretty damn obvious when you install it that it wants to be in constant communication with home-base. This really shouldn't be "news" to someone who has installed it. I do agree that they should do a much better job of informing people up-front that their product requires this. I installed Trixbox as a test. I've had an active Asterisk install going for over a year, and was looking for a simple interface my tech. support guy could deal with for phone moves. I wasn't impressed. There seemed to be a lot of unnecessary overhead and ties to Fonality's servers, and it just flat-out couldn't deal with my hardware configuration (multiple T1 and analog ports tied to an existing PBX). Frankly- it came off as something like "free for now", until you get tied to it and we decide to start charging for accessing our servers, which you have no choice but to do. There is a great book called: Asterisk - The Future of Telephony (get the 2nd edition, which makes the first look pretty sad). This is really all you need to get rolling with Asterisk. It's good to understand the config files and database integration possibilities, even if you later decide to go with something like FreePBX or AsteriskNow to make things easier. If you have a decent Linux background, Asterisk can be cake once you have a bit of education about how phone systems operate.
OK folks, time to check our bias level here. If Sony installed a script that logged into their website and downloaded a list commands to execute on your system to "collect usage data" would we be impressed? I didn't think so. We were very much up in arms about the Sony Rootkit, and should be about this too.
So if an OSS project does the same why should be any less outraged? Its still a violation of any sort of professional ethics. It doesn't matter that the script is in clear text on the system, who here has the time to go through every script on a new installation of their favorite distribution?
We trust the package suppliers to disclose anything we need to know about. If that trust is breached we call them to task on it.
Well the trust has been breached in this case and the community needs to call the developer to task on it so that it's clear that this sort of behavior is unacceptable. I've read some comments that you're getting it for free. So it would be acceptable for Linus to start including arbitrary command execution backdoors into the kernel?
Remember the Trojan Horse didn't have a price tag attached either!
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Let's get you home to Frinky. M-hei.
The freePBX team has also commented on the issue. In short they want to make it clear that running arbitrary commands sent from the Fonality server is a trixbox/Fonality issue and has nothing to do with freePBX. FreePBX's "phone home" functionality is just a "check for updates" sort of thing. Of course if the modules are not digitally signed and verified, then a man in the middle attack is still possible and malicious versions of modules with a little "extra goodness" added could be sent to the pbx for automatic installation.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
...n00bs. I compiled Asterisk from source and feel like the flexibility is much greater.
and (emphasis mine)
were you being ironic or do you mean just the acronyms you haven't come across?
some of you might remember that trixbox started out as asterisk@home.
Ive run A@H 1 and 2 and even trixbox... and i must say... ever since KerryG and fonality took full control and essentially "killed" the A@H branding/identity/ethic/attitude the projec has gone seriously downhill.
Ive had run-ins with kerry before... and all ill say in this public forum is that the guy really isnt a positive influence.
The forking of the porject into CE and Commercial versions was only exacerbating the underlying shift towards an essentially exploitive distro. Requiring a internet connection to trixbox in order to configure your own box? requiring a user account on their site to configure what is obstensibly supposed to be open source based projects? Maybe these actions arent WRONG per say... but cetainly the ethics are questionable.
The truth is, ever since it went this way, ive actually decided NOT to upgrade my A@H 1.3 version. The bells and whistles arent really worth it.
Im hoping some other distro, or fork will come along that remains true to the principals they started with.
Its really sad to see, consdiering how excelent the work that went into A@H / trixbox is. These guys have done a wonderfull job packaging several complicated and time-consuming products together into an easy and accesable distro. However... somewhere along the way someone *cough* kerry *cough* fonality *cough* decided to push those efforts into LOCK-IN style profitability.
(theres nothing wrong with getting commercial support pacakges... but forcing people to sign up to your organization and forking a far less than active sub-version on your comomunity is an insult)
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
Sorry we got busted but we'll fix it in the next release.
Thanks for your data though.
Sounds almost exactly like WoW's Warden, minus the anti-cheat.
Any hacker who can control either of these servers can get everyone to join their botnet...
I have been trying to figure out why any competant engineer would architect a system this way. Then I thought, maybe they just are doing what an existing system already does. From looking at the registry.pl file, the URI contacted for the script differs based on the server ID and a fonality specific config file. It looks like there are three choices for the download URI, one is registry.trixbox.com (if the fonality config file is not present), but the others are proregistry.trixbox.com, or update.fonality.com, which look like the other fonality PBX products that are in the field today (Trixbox PRO and Fonality's proprietary system). This sure looks to me like this same process and terrible security architecture is used bt trixbox pro and fonality pbx's as well as trixbox CE. Yet, noone at Fonality has admitted this, much less issued a security advisory. I have posted a question to the fonality folks in the trixbox phones home thread, but no reply. Does the fonality user base realize how vulnerable they are? How many users put their PBX on a special firewalled network from their corporate systems? This looks like is it a far bigger problem than just trixbox. And why is Fonality not talking about the other platforms?
http://voipusersconference.org/ for instructions on how to hear Fonality's response live and participate by asking questions or giving your opinion about this subject.