Slashdot Mirror
Linux-Based Phone System Phones Home
An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.
A product named Trixbox is really a box of tricks...
The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling.
// -- http://www.BRAD-X.com/ --
What's the problem here?
The issue here is not just the fact that it is phoning home - it is the method in which it is done. This has been reported as a security vulnerability to the voipsec mailing list. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html
From the forum:
The point is that people should have been given a means to easily opt-out of the data collection process which is something we totally overlooked and in seeing the reaction we realize that this was a big mistake on our part. While it is pretty trivial for anyone with basic linux knowledge to disable it, the issue is that a) we didnt inform people well and b) we didn't make it easy to turn off. We thank you for your support on this but anytime there is a more than a few people complaining about something it means we missed the mark on it. So, as a team and a company we fix it and learn from it. -- Kerry Garrison trixbox Community DirectorAnd I'm somewhat annoyed by KerryG's assertion that "Both trixbox and FreePBX have phone-home mechanisms in them." Now, admittedly, I relinquished FreePBX at the beginning of this year due to personal commitments, but I have ALWAYS been dead against 'phone home' information. We DID have a rough idea of how many machines were actively being maintained by the 'hits' on the modules.xml file that contains the current version of all the modules and download links for it. That's it.
The only other slightly information-divulging bit of information was the built-in IRC client did a 'uname -n' and specified what distro the client was running. It broadcast that in a 'notice' to the FreePBX channel. This was highlighted on the IRC page, with exactly what would be sent.
FreePBX has NEVER 'phoned home'. I would be amazingly upset if it was doing so now. Trixbox, on the other hand, may do that, but please do NOT link the FreePBX project with it.
--Rob
Schlock Mercenary.
Nah ... it's just that people don't bother to read what's in front of them. Had there been a big blurb during the software install that proclaimed "we collect anonymous usage statistics" nobody would have cared, but because it wasn't made sufficiently obvious people think there's something devious going on.
The higher the technology, the sharper that two-edged sword.
This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results. Sure hope their server is up to date on patches. That assumes DNS sent back the right server to begin with and not a spoofed site with a "different" set of commands.
In what universe does this seem like a good idea?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
We did it ourselves and saved >$100/month for a small business. Just use Asterisk (free and open source), buy some inexpensive but full-featured phones like the Grandstream GXP-2000 (about $80 each), and get a termination provider like VoicePulse Connect for Asterisk ($11/month for four simultaneous channels, free incoming, and below $0.01/min for most outgoing). It took some work to get it all set up and working properly, but now is actually more reliable than the analog phones ever were. (We had phone company issues every few months... just awful.)
--
Educational microcontroller kits for the digital generation.
So the fact that software installed on Linux will do what it is programmed to do is a reason to migrate away from Linux? I will consider migrating to something else when there are known and exploited holes in the security which allow websites to arbitrarily install software without user permission. Until that, you just have to research what software does to stay safe, or only install software from known and trusted sources. But if you really want to migrate away, don't claim that you are doing it to stay secure: you are doing it because you cannot understand the details of problems, or because you can but just want to move away from Linux, since it is too popular for you.
And please, whatever you do, don't claim that "spyware and other malware" is beginning to show up on Linux - or, if you do want to tell people that, please remember to say that it is stuff which the user has to choose to install, not something which can be installed just be going to an infected website.
Everything is subjective.
Kerry has already addressed this in his blog:
http://www.trixbox.org/trixboxs-new-hardware-audting-tool
Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect? I mean, these guys bill you for every call you make, know exactly who you're calling and for how long, have been known to allow just about anyone in law enforcement to wiretap your line for even the flimsiest premise, yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?
d; if one can read and discuss Shakespeare or Melville, one can read and discuss that EULA.
Oh and by the way reading Meliville and Shakespeare is called getting an education. It serves a purpose to learn about other times, other places, other language and about heritage. In contrast, reading a EULA is just a complete waste of time. If one does not understand the difference, then one's education has failed one miserably.
These posts express my own personal views, not those of my employer
OK folks, time to check our bias level here. If Sony installed a script that logged into their website and downloaded a list commands to execute on your system to "collect usage data" would we be impressed? I didn't think so. We were very much up in arms about the Sony Rootkit, and should be about this too.
So if an OSS project does the same why should be any less outraged? Its still a violation of any sort of professional ethics. It doesn't matter that the script is in clear text on the system, who here has the time to go through every script on a new installation of their favorite distribution?
We trust the package suppliers to disclose anything we need to know about. If that trust is breached we call them to task on it.
Well the trust has been breached in this case and the community needs to call the developer to task on it so that it's clear that this sort of behavior is unacceptable. I've read some comments that you're getting it for free. So it would be acceptable for Linus to start including arbitrary command execution backdoors into the kernel?
Remember the Trojan Horse didn't have a price tag attached either!
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
The freePBX team has also commented on the issue. In short they want to make it clear that running arbitrary commands sent from the Fonality server is a trixbox/Fonality issue and has nothing to do with freePBX. FreePBX's "phone home" functionality is just a "check for updates" sort of thing. Of course if the modules are not digitally signed and verified, then a man in the middle attack is still possible and malicious versions of modules with a little "extra goodness" added could be sent to the pbx for automatic installation.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
some of you might remember that trixbox started out as asterisk@home.
Ive run A@H 1 and 2 and even trixbox... and i must say... ever since KerryG and fonality took full control and essentially "killed" the A@H branding/identity/ethic/attitude the projec has gone seriously downhill.
Ive had run-ins with kerry before... and all ill say in this public forum is that the guy really isnt a positive influence.
The forking of the porject into CE and Commercial versions was only exacerbating the underlying shift towards an essentially exploitive distro. Requiring a internet connection to trixbox in order to configure your own box? requiring a user account on their site to configure what is obstensibly supposed to be open source based projects? Maybe these actions arent WRONG per say... but cetainly the ethics are questionable.
The truth is, ever since it went this way, ive actually decided NOT to upgrade my A@H 1.3 version. The bells and whistles arent really worth it.
Im hoping some other distro, or fork will come along that remains true to the principals they started with.
Its really sad to see, consdiering how excelent the work that went into A@H / trixbox is. These guys have done a wonderfull job packaging several complicated and time-consuming products together into an easy and accesable distro. However... somewhere along the way someone *cough* kerry *cough* fonality *cough* decided to push those efforts into LOCK-IN style profitability.
(theres nothing wrong with getting commercial support pacakges... but forcing people to sign up to your organization and forking a far less than active sub-version on your comomunity is an insult)
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?