trixbox CE audit tool official statement
Dear trixbox CE community,
In an attempt to “Communicate Openly” (a mantra we preach religiously here at Fonality, despite our occasional lapses), I am going to explain the different methods by which trixbox CE systems communicate back to Fonality. Before you read this entire thing, please note that near the bottom of this document you will see that we are going to make a number of changes to “Heartbeat V3.0” as a result of all of your feedback. These changes are not a result of real security issues, just a desire to keep everyone feeling secure. Thank you for being candid with us, and please accept this document as our sincere desire to remain open with you:
Heartbeat V1.0
Around 18 months ago, with the release of trixbox CE 1.0, we realized that we had a basic problem – we had no idea how many people were actually using trixbox CE. Sure, we knew our download volume…but, nothing else. So, without some basic sense of the viability of this project, we weren’t able to understand its impact – hence we weren’t able to appropriately budget the necessary financial resources to fund/improve trixbox CE. As such, we designed a basic heartbeat system. This system was discussed on the forums prior to launch in a thread started by Andrew Gillis. For the sake of 100% open communication, here is a re-hash of what Heartbeat V1.0 does:
When you use the trixbox CE dashboard, the system sends a generated unique identifier (GUID) back to Fonality. This GUID is generated upon the first connect. This GUID serves the purpose of informing Fonality that a trixbox CE system is actually “in use”. This system only heartbeats when the dashboard is actually used. Here is a complete list of what Fonality learns from this heartbeat:
1. A machine with a GUID has been used.
2. The timestamp of when it was used.
3. The IP address the GUID came from.
Heartbeat V2.0
There was a problem with Heartbeat V1.0. Basically there was no “who” attached to it. This means that we had no way of relating servers to people. As such we could not communicate back with folks in order to give them discounts (heartbeat discount club), give them paid support, let them know about urgent updates to their system, etc. So, around 11 months ago, with the launch of trixbox CE V2.0, we introduced a voluntary registration system, that for the sake of this discussion we shall call “Heartbeat V2.0”. Here is how it works:
When you first use the trixbox CE dashboard and you go to the Admin Panel a pop-up “registration window” appears. It asks you if you want to register. If you do register, Fonality will know exactly what data you chose to send us in your registration process. A byproduct of knowing this is that we could trace “you” to “your GUID”. Hence, we can know “who” is heartbeating. However, if you chose not to register, then Heartbeat V2.0 does not impact you in any way.
Heartbeat V3.0
Recently, Fonality has been trying to grow the CE development team (engineers+QA) as well as learn more about what types of hardware we need to build better interoperability with (there is just too much SIP hardware out there to test/QA everything). As such, we went to some of the vendors in the space and asked them to financially support trixbox CE because we assumed (based on reading the forums) that their products were being used by the trixbox CE community. Their answer, quite predictably, was “sure we will help out, if you can prove our products are in use.” Clearly, neither Heartbeat V1.0 or 2.0 ever dealt with the “what”. Therefore we had no way to answer the “what” question.
This meant that these vendors would never contribute toward our investment in CE, reducing the total dollars spent on CE development. The thing is, these vendors wanted to give us money to drive CE…but they wouldn’t do it unless we could prove CE was delivering business to them.
Thus was born Heartbeat V3.0. Below is an FAQ about Heartbeat V3.0:
When did Heartbeat V3.0 launch?
About three weeks ago.
Who got it?
Anyone who has installed 2.2.10 or later in the GA branch or 2.3.0.10 or later in the beta branch. Or, anyone who has done an “update” to their system in the past three weeks via the web-based package manager or directly via yum from the CLI.
Why didn’t I know about it?
Because we are idiots. More on that later.
What V3.0 does
V3.0 is really a “hardware audit tool” and it essentially tells us a bit about the hardware configuration on your server. Here is an exact list of everything it tells us:
1. IP Phone types and count
2. Useragent details (firmware version & MAC address)
3. OS version
4. RPMs installed
5. Info about cards, such as PSTN interface cards
6. Motherboard details such as manufacturer
7. Asterisk version
8. trixbox CE version
9. Registration Key, if the system is registered (see Heartbeat V2.0 above)
How does V3.0 do what it does?
Your trixbox CE sends an encrypted (unique) message to Fonality once every 24 hours. This message contains the exact data we have described above. It does not contain any user data (phone numbers, user names, email addresses) or usage data (who you called, what you did on the system, configuration, mod, etc.). The code is all open source and human readable on your trixbox CE server.
Um, can you give me a deeper technical explanation?
Ok, here goes. This communication is done via a Perl script which sends encrypted communication back to Fonality. Of course, like most implementations, the first connection to get the key is not encrypted. Once the key is established, the connection becomes secure. This Perl code is available on your server, in human-readable format, should you wish to peruse it. It can be found in /var/adm/bin/registry.pl
What we have learned and what changes we are making
1. Communicate Openly
We never meant to *not* disclose Heartbeat V3.0 three weeks ago. Honestly, we are a growing company, and as companies grow sometimes communication starts to breakdown, especially when we are working like demons to get trixbox CE 2.4 out the door. This is a classic case of communication break-down and nothing more Machiavellian. So, going forward, we are going to make a stronger commitment than ever to being transparent about everything we do, so that the right foot doesn’t trip over the left.
2. Inform new trixbox CE users up-front
The next version of trixbox CE will inform users *during install* about the Heartbeat system, and tell them how to disable it (in a simple manner from the dashboard, with no Linux, Asterisk, or CLI experience required.) This will be completed by December 21, 2007.
3. We are removing even our ability to ever modify this script
Fonality had (note the past tense) reserved the right to change this script at our discretion (to update it in case it is not efficient, make it more accurate, improve its security, make it stop checking in, etc.) The problem with this approach, as pointed out by a number of our community, is that a hacker (highly unlikely) or a malicious employee (only 1 at Fonality has the ability) could…well…be malicious. We took a very serious approach to the security of this solution. I won’t go into all the details, but suffice to say that, besides the aforementioned encryption, the actual server that could make changes is *not* on the Internet, or even available to most Fonality employees. It is proxied through a series of hops and protocols and highly protected at our data center. However, we have to be candid and say that any system that accepts open commands from another system can be a threat. As such, we are going to be removing (yes, removing) even *our* ability to modify this script. The only thing we will have the capacity to do to this script, upon check-in, is to tell it to *stop* running it. We think it is ethical that we retain at least this much control.
In closing, we would like to first apologize for upsetting anyone. Our goals are to fund trixbox CE to give it long term viability, and we got ahead of ourselves in not being transparent enough. Secondly, we would like to again thank you each (with a special shout to Lars) for being so candid with us. Hopefully, we have reacted quickly and ethically to your concerns.
Openly,
Chris Lyman, Fonality CEO
Andrew Gillis, trixbox Founder
Kerry Garrison, trixbox Community Director
