I have just been made aware of a file '/var/adm/bin/registry.pl' that contain the following commented lines describing the program:
# This file is design to be executed regularly by an external controller such as cron.
# It retrieves a list of commands to be executed from the specified URI and executes them, saving the output
# and returning it to the webserver as an encrypted string.
Just thought I'd let you all know....
Rudy
trixbox has always "phoned home" so there is nothing new here, we just changed how we do it now because it had the side effect of causing problems in the dashboard interface before. It sends some anonymous usage stats so we know how many active systems running what versions are out there.
I have heard that this is coming up in IRC and other chat rooms. Again, this is nothing new. Both trixbox and FreePBX have phone-home mechanisms in them. The BIG difference between the old way and the new way is that you can disable the new method where before you had to go through all kinds of hoops to get rid of it because it was more stealthy. Simply killing the cron entry will stop the process.
So what does it actually do? Let me explain. We are only looking at the number of phones (and types) that are connected to a system. This tells us how many real systems exist. In the future you will be able to opt-in to provide us with more information once we figure out what we can offer you back for doing so.
How about a brief breakdown on the collected stats ? Not just what data is collected from each system but the results of all the collected data for the year. How many installed systems ? What's the average number of phones per system ? What's the max ? etc...
There were "news" reports some time ago about a mini-fad whereby one or two people (teens, and low-twenties, as a rule) were "living" in people's houses for weeks and months at a time. They would wait until the legal inhabitants left for the day and they'd enter and spend the entire day there. Sleeping, showering, watching TV, eating, whatever. When the legal inhabitants were due home, the tresspassers would leave and come back the next day.
When they were discovered, I wonder how often they would say "Hey, this isn't new - we've been doing this for months." I wonder how such a line would go over there.
Something being newly brought to light does not mean it's "ok" because it's been around for a while. (Just ask the Iran-Contra or Watergate guys.) There's a reason companies like Real and Microsoft (just to name a couple of the more high-profile of the zillions) ASK before they collect even "anonymous" information: because when they don't, people (ie: customers) get pissed. In this day and age, privacy is more and more important, regardless of whether it's paying customers via trixbox PRO or non-directly-paying customers via something like trixbox CE - to collect a user's data without letting them know and allowing an opt-out (the more proper approach, of course, is an "opt-in" method) is certainly ethically wrong and might even possibly be against the law.
One is forced to wonder why, if this is not at all a big deal, is the fact that trixbox contains covert information collection code not mentioned anywhere? Is it in the install sequence? Any help screen anywhere? The forums? ANYWHERE? If so, it's buried well, because I've spent a year looking at trixbox stuff and have had yet to see anything before this.
It's not at all comforting to know that y'all are considering gathering MORE information from which the user might be able to opt-out.
(Oh, and to say the data is "anonymous" is not entirely true - for any user that has a fixed IP address, you'll know quite of bit of information specific to that user/company/organization.)
In short, such collection of user information is not appropriate and not acceptable. Please remove this code or modify it to an opt-in process.
Thank you.
We havent wrote the reports yet :(
Our goal is to have our new reporting engine done by the end of the month. Many of you guys are resellers and could really use the information to help sell clients by showing how many installed system are out there. With the new reporting system I can tell you that we have heard from just over 25,000 systems this month.
Here is what we will NOT collect: minutes used, phone numbers, extension info, call reports, nothing like that. Only hardware data, not usage statistics. Early next year there will be an option to provide us with information like that if you choose to opt-in, but until I can offer a discount, a drawing, or even a T-Shirt I wont feel right about even asking.
I had just updated a forum topic I had posted concerning the large queued emails and procmail locking up with a link showing this had to do with some snooping that was going on.
This is nuts that this sort of collecting has been going on. Sorry, but there is no such thing as "anonymous usage stats". The burden of proving anonymity of stats gathered from software over the internet lies in the hands of the ones doing the collection, and therefore is subject to their interpretation. Fonality could collect usernames, passwords, e-mail addresses, even record calls via a script, emailing the results out every night, and still claim anonymity because they're not logging the IP addresses the info came from. No, I don't think that's going on, but certainly you can see my point.
Had it not been for a misconfigured mail relay, I never would have seen these files building up in my mail queue. Are this files at over 1GB going out every night? Once a week? How much of my bandwidth is being consumed by this crap anyway?
We certainly could have gone to any amount of effort to hide this and we fully disclosed our intention to collect bits of data well over a year ago with the release of trixbox 2.0. The engineers asked how how covert we wanted it to be and Andrew and I insisted on several key points:
a) Its easy to disable
b) It is not compiled code so anyone can clearly see what the code is doing
c) It could not take up any appreciable system resources
d) Collection had to happen at off-hours so as to never impact a system
e) We would not hide any components of it from the users
All of our scripts that we write are completely open code that we welcome the community to go through and be the check and balance against anything we do and we have always been like that. The really hard core guys here had some really sneaky ways to implement this that nobody would ever find or be able to disable but that went completely against most of the directives we laid out so we did it in the most basic means possible so that people could disable it as well as review the code.
The data sent from a system is less than 1k.
Kerry, your protestations that it's obvious and plain for all to see is contradicted by this statement:
"... before you had to go through all kinds of hoops to get rid of it because it was more stealthy."
"Stealthy" is not a word used when being open and obvious.
So, for those of us unlucky enough to not be running bleeding-edge builds, what are the hoops through which one must jump to remove/disable the stealthy data collection code?
At the very least, provide some clue what to look for, because I've been looking for about an hour now, and still can't find this open and obvious code.
Thank you.
this topic has been in and out of the forums for some time, just cause someone only read it just now doesnt mean its been hidden, and really ET phoned home, even the government probly knows when you phone home, and they probly will never admit it - nobodys complained yet.
dont forget - if your not comfortable with it turn it off, theres always the roll your own, nobody is forcing anybody to use trixbox.
I suppose Fonality should make one of those "EWLA" agreements like M$ uses that loads everytime you pop in the disk, of which you have never read line 1.
Fonality could also argue that since you didnt pay, the software is still theirs, and they can do what they wont with.
I am sure this will be one of those lame topics that clogs the forum with 200 posts in 2 weeks, and there are several valid points tilting either way, however the main point is that it was implemented for the good of the community, I would love to be able to tell my clients there are proven statistics of usage that may someday be near avaya stats of usage.
I think I would know if kerry was using my vitelity login to call his girl friend in Hong Kong, but I think he probly has his own account already.
jahyde, I believe you're missing the mark:
"even the government probly knows when you phone home, and they probly will never admit it"
That's paranoia - not useful and not true.
"nobodys complained yet."
There are more than one "complaints" in this thread alone, so that's no longer a true statement.
"dont forget - if your not comfortable with turning it off..."
I'm not sure what this means. I, for one, would be VERY comfortable turning off this data collection.
"...theres always the roll your own, nobody is forcing anybody to use trixbox."
That's not really a positive customer relationship. I realize YOU don't work for Fonality, so you may not realize that they wouldn't last long telling all of their customers that they'll take it and like it or they have to leave. (Actually, the government is the only body that gets away with that behavior.)
"I suppose Fonality should make one of those "EWLA" agreements like M$ uses that loads everytime you pop in the disk, of which you have never read line 1."
In any instance where Microsoft collects user information, they tell you BEFORE the software does it and very clearly tells you what they wish to do and lets the user opt in or out as they wish. They also make changing that option later an easy task. If _that's_ what you're saying, then YES, I do thing Fonality should do that. It's certainly better than covertly collecting data and transmitting it back to corporate HQ. I wonder just how many installations are running out there that were installed by system integrators/sellers that never told the end-user that the system would be collecting and reporting information about the installed system (the end-users were probably not told because the system integrator/seller didn't know either).
"Fonality could also argue that since you didnt pay, the software is still theirs, and they can do what they wont with."
a) You're forgetting about the people that DID pay for the software (EG: trixbox PRO).
b) Sure, they can do anything they want (within legal limits, of course) with their software. My point is that this kind of stuff is unacceptable to many people and will cause them to move to other platforms. Indeed, Fonality may be well aware of this and perhaps this was the reason that users are not informed of this data collection at install time, in any docs, or in any help file.
"however the main point is that it was implemented for the good of the community"
I suggest you actually don't KNOW why this "stealthy" data collection was put into trixbox. I'd suspect it's more about Fonality desiring marketing information than an altruistic effort.
"I think I would know if kerry was using my vitelity login to call his girl friend in Hong Kong, but I think he probly has his own account already."
That is SO not the point. However, that point may be addressed by this: this allegedly/currently minimal and "anonymous" data may not stay that way if a hacker finds a way to hijack this information collection process and grab whatever info is on the machine. (Of course, that's one example, a hacker could do other things like install a backdoor on the trixbox machine for use in exploring/attacking the rest of the victim's network.)
On a different tack: How can I trust a product in my network that has something like this in it? What other surprises are in there that I don't know about? What makes me sure that the current line drawn about which info Fonality will/will not collect will stay the same?
Again, since it's argued that this is not a big deal, I'd like a list of steps I may take to disable this data collection.
With a couple of new ideas to use in searching, I found these:
http://www.trixbox.org/forums/trixbox-forums/help/trixbox-server-...
Here's a quote from KerryG about a year ago:
"There are two forms of communication between an installed system and the trixbox servers.
1) When you log into the package manager, you are obviously hitting the trixbox servers. Therefor, we know what packages people are using. Nothing magic or sinister about usage logs.
2) In 2.0, there will be a spot on the trixbox user interface for dynamic content so we can inform users of updates, patches, etc. This is common in products like phpbb, joomla, etc. Again, nothing covert there.
That is it. We don't keep tabs on your system, report usage back, or antyhing else. So the only ramification of our servers being unavailable or you not being on the net, are the inability to get into the package manager and the dynamic content box would be blank."
a) BEFORE this response, someone else asks where this code is - as you can see in this response, that request was ignored.
b) These words "We don't keep tabs on your system" seem contradicted by current disclosures. If someone is tracking what hardware I'm using and how many of what type of phones I'm using, I would certainly put that in the category of "keeping tabs on" my system(s).
Here's a quote from andrew in the thread at
http://www.trixbox.org/forums/trixbox-forums/open-discussion/priv...
"The anonymous stats we gather from this connection are used to get advertizing dollars for our project. This is how we pay for the bandwidth and servers that serve the project."
So much for the concept that the data is being collected only for the community's use.
Indeed, in considering just these two threads, there are clearly more people not content with what seems to be a lack of attention to privacy issues. The two threads above were from a year ago and there's still no disclosure in the software or opt-in options. Perhaps that's the real bottom line at which I should be looking...
We are listening to you and the people who have contacted us directly. We are writing a game plan of how we will change this policy and will post the plan over the weekend for public review and will change this next week based on the feedback of our plan.
I live in NZ, so my world view may have been less effected by terror plots and many things ending in 'Gate'.
I get to use this great piece of software, and sell it to other people. The people that made it are collecting data off it to see how many there are, what phones get used, etc. This is all information that would be very useful to many of us in here. I like the Linksys phone, but now that I'm aware of the existence of the data, I would be able to find out what % of the installed phones are Linksys. Perhaps there is a better one I can get down here.
The data is being collected by a Cron job I believe. If it hurts so bad, why not turn it off?
Andrew and Kerry make it happen. They don't charge me to use it. They want to know some trivial hardware details. If I can help them make it better by giving them a fraction of what they've given me, they can have it. If they wanted to know call volumes and durations, I'd gladly give them those.
Kerry has been having to defend all sorts of things in the forum lately. Some of you guys should watch Bambi (The Disney one, minds out of the gutter) a few more times. Helpful positive criticism is an excellent tool for progress. Bitching on like a spoiled little shit who didn't get enough beatings as a kid to be a useful member of society is a little less productive.
If you have security concerns, why are you using open source? Surely open source makes it easy for a hacker to view the code and look for holes. I would expect the security concerned user to use something proprietary and locked away from prying eyes.
So my message here would be:
You people who made it, go get what you need to make it better. It's a small price to pay. When you're done, can you make a web counter or something that shows how many boxes there are on the planet, a top 10 handset list perhaps. Marketing things that we all might find useful.
Thank you all for your effort.
The point is that people should have been given a means to easily opt-out of the data collection process which is something we totally overlooked and in seeing the reaction we realize that this was a big mistake on our part. While it is pretty trivial for anyone with basic linux knowledge to disable it, the issue is that a) we didnt inform people well and b) we didn't make it easy to turn off. We thank you for your support on this but anytime there is a more than a few people complaining about something it means we missed the mark on it. So, as a team and a company we fix it and learn from it.
hmm - i think he said paranoia - not useful
on its way to another great 100 post thread to clog the forum.
I just don't get the fanboyism, even when Kerry has admitted they did something wrong. If any thread deserves 100 posts, it's this one.
I don't really buy the innocent "We didn't know this would upset anyone" response. Kerry, you already stated a discussion took place where it was decided to not make this as stealth as the coders COULD have made it. If this was a non-issue, there never would have been a discussion.. it would have been implemented however the individual saw fit... period. The fact that it was even questioned clearly shows someone knew the users would have issue with this. Fonality didn't become the successful company it is by being monumentally naive.
What bothers me the most is this post:
http://www.trixbox.org/forums/trixbox-forums/help/trixbox-server-...
.. where it was stated by Kerry:
"That is it. We don't keep tabs on your system, report usage back, or antyhing else. So the only ramification of our servers being unavailable or you not being on the net, are the inability to get into the package manager and the dynamic content box would be blank."
I'm not sure if something changed here, or if this was something more malicious.
It was always stated that Trixbox CE would remain FREE, but if data is being pulled from these boxes and is either being used by Fonality for marketing research, or worse, sold to their partners for marketing research, then Trixbox isn't and never was really Free.. it's been Spyware. I'm sure I will be told that Fonality NEVER used this data for anything, or it ONLY used the data for "THIS" or "THAT", but what reason should anyone have to believe anything from this point on?
I would not be surprised at all if something like this took place again, with a nice defensive forum post stating that "We can't pay to develop Trixbox CE AND make it FREE too, so you have to give something up here somewhere folks". With the recent fights over bugs, features, and now the spying, this is just the sort of big business attitude we've seen here in the forums.
I'm sorry, but you shouldn't have to sell-out to use a piece of open source software.
dm
How many people mistakenly enter their PBX username/password in the Trixbox/Fonality web login and send you their passwords? I'll bet this happens everyday well into the thousands. This is a mistake any n00b will make at least once, but probably regularly.
Now let's assume hypothetically that kerryg and andrew are to be trusted; why, because God him/herself said. Fine. But what if your site gets hacked by someone on the other side of the globe and start sniffing for these passwords? And further, what if the user/company PBX credentials are the same as the root login to the server and it's on the public side of the network? I'll bet thousands of Trixbox systems can be taken over in seconds this way. You see the point?
It is very irresponsible to put the Trixbox/Fonality web login right where a user switches to admin mode. It implies, "enter your credentials to log into THIS system". I have never seen a design like this at all. Let me elaborate further:
This should be in the Packages page, which should not be on the main menu, btw. I believe it should be an option in System. Regardless, when you click on packages, this is what you get:
"Warning: You must login to see the trixbox packages."
But it really means:
"Warning: You must login to THE TRIXBOX WEBSITE to see the trixbox packages."
Why was this done this way? I'm also a developer with more than 15 years experience. UI's fly out of my butt sometimes and one thing you learn quickly is people do the strangest things. But it's not strange that someone, especially a n00b enters their PBX credentials here. It's expected, especially when it's implied (mistakenly or otherwise). This needs to change, case and point.
-cpu
I can NEVER log into the GUI (PHP file workaround) and they still have a "rootkit" installed on my box sending data without my consent.
You are correct, this was an oversight.. but something far worse has gone on here... that's the REAL issue.
Nothing calms down a nervous customer like an assurance that they are not trail-blazing, and are instead following the herd - sad but true, people don't like to stick their neck out.
The other thing I notice about this thread is the incredibly hostile tone toward Kerry and the TB crew - other than to practice Flaming and Holier-Than-Thou Indignation, what's the point?
Really - If you want to offer constructive criticism do so - but these flames are just a waste of time - and part of the reason that the Linux community has such a bad reputation for this kind of rants.
No Fanboyism here either - I am a very strong supporter of where the Trixbox project is going, but do I agree with every decision? Of course not! As with all Open-Source software, someone is writing it to scratch their itch - but because of the modular nature of FOSS, you might have the same itch, and therefore can repurpose the tool for your own intents.
But this does not imply that they have an obligation TO YOU to scratch the itch YOU want scratched - If you want that kind of arrangement, hire a programmer, pay them a salary, and then you can demand what they produce.
Lighten up everybody - At this time last year, we had just barely started playing with a test system - now a year later, we have over 30 systems installed with over 400 phones attached (which Kerry could verify because all the systems are registered to me, and all are reporting back statistics).
If you don't like Trixbox, you have lots of options including trying to persuade the Trixbox crew to do it your way - We recently did just that with NVFax (Which is humming away on my 2.3.0.10-80 Production box! Yay!) - they were going to give up on it, and the community changed their mind! Or, you could try a different distro like PBX-In-A-Flash or CentPBX. Or you could go roll your own.
When is the last time you changed someones mind by yelling at them and calling them evil and stupid?
Greg
You are very much exaggerating. No one is being incredibly hostile and no one is flaming. Constructive criticism is exactly what this thread is about. People are pointing out inconsistencies in what is said and what is done. And what's with the "Holier-Than-Thou" comment; do you realize a lot of us are security-minded? If you double click on your system clock, be it Linux or Windows you will notice it's 2008 not 1993. Security is not a crusade, fyi. Not in the post-911/identity theft era we live in. We're talking about locking down a PBX where important conversations take place. If your system is hacked, it takes only a few keystrokes to download your VMs or have your conversations recorded. What if someone uses your wide-open PBX to phone a bomb threat? With news like this in the papers watch Avaya and Nortel's stock go right up.
Perhaps I'm not the highest donor to the Trixbox project, but I have purchased support blocks. My money is as good as the next guy's.
"part of the reason that the Linux community has such a bad reputation for this kind of rants."
Well this certainly explains _your_ hostility. No wonder. I hope you take back this comment because I don't think you'll be earning new friends. Not on this forum at least.
Good bye.
-cpu
Both trixbox and FreePBX have phone-home mechanisms in them.
FreePBX does not have any 'phone home' mechanisms in it. Since this is a very sensitive topic, let me make it clear what FreePBX does and how we have approached things. When you install your system we compute a unique and un-identifiable hash based on your system's MAC address. Any time you go to our Online Module Repository, you send us that hash as well as the Asterisk version you are running, and if this is detected as a first time install, you send that as well. We know what version of FreePBX you are running because that information is implicit in checking for updates against your version. We use that data to understand what version of Asterisk our installed base is running so we can apply focus and development efforts accordingly. We also use this during beta programs to assess our coverage in making readiness decisions for final release.
The only time this happens is when an online update is initiated by you, or if you have chosen to receive update notifications since those are nothing more then a cron Job that does exactly what "Check for Online Updates" does in the GUI.
We would never provide a mechanism that silently downloads a set of instructions to execute on your system. Regardless of any good intent, the dangers in doing that if someone compromised our server would be immense. We have thought about collecting additional information, but if and when we ever did that, it would be purely on an opt-in basis and it would be there to visibly see. If anyone has any concerns or issues with what we are doing, please bring it up in our FreePBX forum or contact me directly as I will not be following this post but was given a reference to it because of the mention of FreePBX phoning home which it does not do.
GSnover, maybe you are comfortable with being lied to and having what is essentially spyware installed on a box without your knowledge, but I think most people are not.
No one has called anyone stupid or evil.. Maybe you should look up some of the terms used here, but I pointed out that I certainly don't think anyone at Fonality is as naive as they claim to be, and this was very much done with the secrecy and forethought that it appears. Current and previous forum posts are not only contradictory, but they do not paint a pretty picture.
I have nothing personal against anyone here. I have spent a lot of time supporting users and trying to understand and live with some of the decisions that have been made with the project. In this particular case, I am in awe in the level of backpeddling and the casual "oops, I guess we made a boo boo" attitude that has been displayed when hands were very clearly caught in the cookie jar. I would have expected much better, but I guess everyone has to make a dollar.
Without getting into a Windows Vs Linux argument, I will ask a question I threw at a friend a few hours ago.. If this was MICROSOFT or CISCO doing this, would you be so quick to defend their intentions and put your blind faith in the product? Why would Fonality doing the exact same thing be any better?
The fact that it was even questioned clearly shows someone knew the users would have issue with this.
Yes we knew and we planned on making an announcement when we launched 2.4 but since we put the code out into the current versions this was a major foobar on our part to not make the announcement sooner.
Not meaning to split hairs here but:
FreePBX does not have any 'phone home' mechanisms in it. Since this is a very sensitive topic, let me make it clear what FreePBX does and how we have approached things. When you install your system we compute a unique and un-identifiable hash based on your system's MAC address. Any time you go to our Online Module Repository, you send us that hash as well as the Asterisk version you are running, and if this is detected as a first time install, you send that as well.
That is "phoneing home". It contacts a server and sends info about your system. In the past we did basically the sames thing, we only generated a unique ID and sent that, we are doing a little more than that now and as promised we will explain this is complete detail within 2 hours from now. Please check back this afternoon for a complete explaination of what we are doing, why we are doing it, and how you can choose to not participate.
At the risk of again spitting an already frayed hair, I must disagree with the following:
"That is "phoneing home". It contacts a server and sends info about your system."
The big differences, of course, are:
1. In FreePBX, I can actively click on a link requesting a connection to a server. I can also simply decide not to click the link or update things. This isn't something that happens in the wee hours without a client's knowledge.
2. In FreePBX, I have a reasonable idea of what the link is doing, connecting me to a server that is checking my version against what might be available for update purposes.
to my post - Gosh, I was so wrong that the posts here were hostile. Can't imagine what made me think that.
"If this was MICROSOFT or CISCO doing this, would you be so quick to defend their intentions and put your blind faith in the product?""
Where have you been? Windows Genuine Advantage? ALL of Cisco's mechanism's to make sure that everything comes from and is controlled by them? This is a reality in the marketplace. I don't like it anymore than you do, but it is the position we are in until Desktop Linux makes more headway.
"very much done with the secrecy and forethought that it appears. Current and previous forum posts are not only contradictory, but they do not paint a pretty picture."
Doing something intentional, and planning ahead of time to do it in secret so you can do something wrong to others that paints you in a bad light? I think I just used less words, but it sounds like what you are saying to me.
Perhaps a different tack on this thread - What do you think they are going to try and do with the information they have gathered?
Greg
we only generated a unique ID and sent that, we are doing a little more than that now ...
# This file is design to be executed regularly by an external controller such as cron.
# It retrieves a list of commands to be executed from the specified URI and executes them, saving the output
# and returning it to the webserver as an encrypted string.
The list of commands can be anything and can be changed at any time. Your trixbox is now in total control of the "owner".
How can you explain what a unknown list of commands can do to the box?
Suppose the list may contains only one command: "cat /etc/asterisk/*.conf".
Oh, it's harmless!
Due to a network outage I wasn't able to post this on time but here it is:
http://www.trixbox.org/trixboxs-new-hardware-audting-tool
YEEEEEEEEEHAAAAAAAAAAA!
This post is better than a daytime soap on steroids!! I haven't had this good of a laugh in days!
And to eeknz who wrote "Bitching on like a spoiled little shit who didn't get enough beatings as a kid to be a useful member of society is a little less productive." Are all you New Zealanders this funny? You sound more like a Texan...
GSnover, I agree with you, brother.
Kerry, pat 'em on the po po and tell 'em Big Brother, uhh, fonality will show everyone how to turn the "evil" off (if they desire to do so) and wink as you tell everyone that there will NEVER be a "stealth" program running in the background. ;)
Now, I will put on my flame resistant suit...because I smell gasoline...
"Where have you been? Windows Genuine Advantage? ALL of Cisco's mechanism's to make sure that everything comes from and is controlled by them? This is a reality in the marketplace. I don't like it anymore than you do, but it is the position we are in until Desktop Linux makes more headway."
Sounds to me like you're fine with it. You seem to be just fine with what Fonality has been doing, which is worse than anything Microsoft has done. How so? WGA is public. This was NOT. You completely missed my point here... so let me rephrase with more words. If Microsoft owned Trixbox and Microsoft performed this sort of completely unpublicized snooping within Trixbox, would you be so quick to defend them? I'm sure your reply will be Yes, but the other 99.99999% of us would likely be outraged. Even with Microsoft's track record, people are still outraged when they add some new _well-publicized_ product protection feature... so why should Fonality be any different?
I won't even address the Cisco comment because locking users into products has nothing to do with spying on them.
"Doing something intentional, and planning ahead of time to do it in secret so you can do something wrong to others that paints you in a bad light? I think I just used less words, but it sounds like what you are saying to me."
Not sure if you were trying to make fun of me here, or what the intention was with the jumbled sentence, but it didn't make sense to me at all. You seem to be the only one getting hostile here. While others are pointing out facts, you're making borderline personal attacks. Whatever.
"Perhaps a different tack on this thread - What do you think they are going to try and do with the information they have gathered?"
I don't know, but I never authorized them to collect ANY information from my system. My guess is, regardless of whatever tall-tale we'll hear next, they're using it to determine where to focus their hardware support, what size deployments exist so they can fine tune their TB Pro prices and offerings, and who knows, maybe gather some stats to sell banner ads in the CE GUI.. Not sure about the last one, but usage data is worth it's weight in gold and could be used for a number of things.. which you may or may not be told about.
dm
25 of my trixbox deployments just got up and stabbed me in the back, took my wallet, and charged $50k to my credit cards, and I know it was at Fonalities bidding, but then some kid in LA stole my stolen credit card from Fonalities data room which has finger print, retinal, and rectum scans for security, and now Im double charged. Then, because fonality runs their SSL gateway on a windows 95 IIS server (because after becoming a proven corporation that provides enterprise class commercial software to thousands of companies world wide - they decided to invest less in their network security) I got hacked by some kid from Singapore - thrice.
be afraid - very afraid. woo hoo hoo!
Mean while my windows computer has complete inventory of every software component and patch ever installed (which I stole of course), because it installed Windows Genuine Advantage at 3am during the automated updates, it is also funneling away my 401k, because I keep it in Excel, now I am afraid of the black suit too.
woo hoo hoo! now I am afraid to even open my bathroom window at night when I'm.. nevermind - this has gone too far, trixbox is definitely too scary for me.
This is getting far off the mark here. We are going to fix this so that it is easy to opt out of the program. If everyone opts out, we have no data, if we have no data, then we lose the financial support of our partners. If we lose the finanicial support of our partners, I lose my funding, if I lose my funding, I lose my team. If I lose my team we have no development on CE. This is a simple issue. I have said how we are going to change this as of this week. Instead of flaming each other, I could really use some suggestions on how to improve this even more to try to make everyone happy and still meet the goals of the program. I need to hear from everyone on what we should be doing versus bringing Cisco, Microsoft, and other issues that are not directly related to this issue.
So can someone explain to me how Asterisk@Home got so big without pull shit like this?
sorry Kerry - I realize that one guy can only do so much, and that commercial companies run on numbers, not assumptions, and that this free product is backed by commercial $, thus I will be opting in to the new version when it asks if I would like to send usage stats, hardware stats, baseball stats or whatever helps to fund the dev team.
It got so big because when we do boneheaded things, people are free to tell us we did a boneheaded thing, then we fix it to the satisfaction of the users and learn from it. So, we did a boneheaded thing, we got called out for being boneheads, we are fixing it, and we learned that we should have been more open BEFORE we implemented it rather than planning on announcing it and then not actually doing it. Its when you don't learn from your own mistakes that you are bound to fail. But when you listen to your community, you make a good product, you admit it when you make a mistake, and you learn from it then you succeed.
I would opt in for hardware/configuration statistics at install or at GUI login as long as the information collected is listed or documented.
No one will easily opt in without clear knowledge of what information is accumulated from the system. Or I might say that it will be easy to opt out without said explanation.
Also, some type of perk to give incentive to the end user would also help swallow the pill.
At least it should be easy to specifically define the tracked data to ease the paranoia... a little harder to define the perk.
Maybe as eeknz says... It may be a good start to give some stats back to the community to help the end user in marketing and purchasing decisions.
You lose your users and none of that even matters.
You can dismiss any comparisons I made to other companies, but the point was that they at least disclose these sort of things, even the ones that are considered part of the "Axis of Evil".
A solution to all this would be Fonality providing MUCH more information about it's intentions with Trixbox CE. While some companies use their Free/open source versions as a teaser for their paid offerings, it's become obvious that Fonality is/has/will be fully monetizing Trixbox CE. This is not "Free as in Beer" anymore, and I think this should be MUCH more obvious to the users. While the download and use may be free, my CPU cycles and utilization of the product are being used to pay for what I didn't fork out cash for. This is not FREE, this is a trade-off. I might even suggest a name change to Trixbox Lite or something with a greater indication of it's "not-quite-free" status.
I personally do not feel comfortable using Trackware and there are many others that feel the same way. To me, this is just as bad as Adware. I do not feel comfortable deploying or selling systems with Trackware. I also do not feel comfortable offering hours of my free time helping a product that someone else is directly monetizing. If someone is going to directly monetize something I am supporting, I should be making money off it. I feel that if a company is going to provide a true, free, community version of their product, their generosity should be appreciated and I am more than willing to help out for free. This is apparently not what Trixbox CE is about.
Many, many, companies have made money off open source project from support contracts, donations, and upsells to the paid versions of their products, without resorting to Trackware, Adware, or Spyware.
dm
Imagine being able to sit down with a client and say "You should buy a Trixbox from me because there are 75,000 installed Trixbox systems currently running with over 1 million SIP phones with an average uptime of 9 months, 20 days and ten hours!"
You can have all the statistical data you want from my boxes as long as I can look at the data too - and really, sharing the success of Trixbox only helps to bolster the position of Trixbox and makes it an easier option for the client to agree to.
How about a module where you can click on the check boxes for the data you are willing to send? Seems to me a decent web programmer could knock out a page like that in a day.
Greg
Kerry,
First of all I'd like to thank you for being responsible and responding to this unfortunate situation. I had totally thought for sure that you were going to delete my original post and deny anything like this at all was happening. And to take the blame, there are only a few men who have what it takes to admit when they are wrong. Kudos!!!
Secondly, I can't speak for others, but my heart skipped a beat when I was first made aware of this. Then I sat there like a deer in headlights, dumb-founded that this was even happening. Even after the Microsoft anti-trust suit, I thought that stuff like this would be unheard off now a days. I had no idea what to do or how to respond at that moment. So I posted my original message to let others know what was going on. And I believe others may have had the same reaction as I had and are just venting in disbelief...
I don't believe you realize the magnitude of this over sight. If this was a piece of software that was downloaded from your site onto the users local computer and then executed on that same computer, the damage to you on a 'phone home' situation would be negligible and recoverable in the short term. But because of the commercial nature of the software, resellers/installers download the software package and bundle it with hardware with the intent to sell the systems to clients. You now have 1000's of systems that have been sold to clients by trustworthy resellers, whose clients are unaware that there systems are secretly sending data back. You've put the reseller in a very precarious situation. Not to mention that this has more than likely spread through the whole Asterisk community. It could possibly take years to recover from this!!!
I use a CRM system called 'SugarCRM'. They have made available a checkbox, that when selected by the administrator, anonymous stats are sent and in exchange, we are notified automatically of updates. If we decide not to send anonymous stats, we uncheck the check box and then are forced to check for updates manually by logging in and hitting the 'Check for Updates' button. This is a 'Polite' way of doing things of this nature.
Although I plan to sell Trixbox systems in the new year as part of my companies rebranding efforts, I hope (as I believe you have already mentioned) that you will be.... how shall I say this... 'Polite' in the future?
Rudy
I stepped through the file in question just to see what it was doing and what commands were being executed. Although I see no personal data being transmitted, a lot of system data is being gathered.
Below is the list of commands being execute to acquire the data. You can execute these commands on the command prompt yourself to see what system information of yours is being sent back. Each command is prefixed by 'Cmd:' for clarity. No need to type that in:
Cmd: /usr/bin/perl /var/adm/bin/recognition.pl
Cmd: /bin/uname -r
Cmd: /bin/rpm -q -a
Cmd: /sbin/lspci -vn
Cmd: /usr/sbin/dmidecode
Cmd: /usr/sbin/wanrouter version
Cmd: /usr/sbin/wanrouter hwprobe verbose
Cmd: /usr/sbin/asterisk -V
Cmd: /bin/cat /etc/redhat-release
Cmd: /bin/cat /etc/trixbox/trixbox-version
Cmd: /bin/cat /etc/trixbox/.regData
If you want to see what time your system is collecting this data and sending it out, execute:
Cmd: crontab -l
When you see the line that lists 'registry.pl', the first number on that line represents the minutes, the second number represents the hour you are being processed.
To delete the cron job, execute:
1. Cmd: crontab -e
2. Place your cursor on the line that contains 'registry.pl'
3. Type 'dd' to delete the line
4. Type ':w' to save the file
5. Type ':q' to exit
Please don't type the 'quotes'!!!
Rudy
I had a thought...
Why does Walmart continue to come out on top every time even though they sell cheap junk almost exclusively made in China? It's because people have the opinion, whether real or imagined, that they are getting the most bang for their buck. People don't even think about the fact they are selling America's soul to the Chinese, they just want their low prices and fancy gadgets. We're drunk on cheap, and don't appreciate it. The Chinese understand this, and they will do what ever it takes to keep the American people asleep and consumed in their own quest for more cheap stuff. Now to Trixbox.. Andrew and Kerry seem to be victims of what the American public has turned into. With some people, the lower the cost something is, the less the appreciation or value it has. Those with a spirit of gratitude value those things given them on a silver platter, while those without gratitude will find it difficult to cherish anything. Trixbox CE software is a zero cost item. With all the money that flows through our hands to make thousands of Trixbox deployments successful, very little goes back to Kerry and Andrew. Fonality is taking a big risk pouring resources into something that's not directly revenue generating. This alone should tell everyone that Fonality in not trying to screw you when collecting information. There's a trust relationship that happens when you purchase software, otherwise you wouldn't purchase it. When it's free, there's no inherent trust relationship and I think that's what we see here. I'll bet you could plot a curve comparing those who complain the most vs those who donate to the project. Fonality is pro open source, they are not trying to screw you. They want to see this thing succeed, but if enough people rag on Kerry and Andrew enough for simply doing their job, we may be on our own again in Trixbox development. A human can take only so much. We all need to sober up from our self indulgence and bitterness and see that there are people we can trust in this world. Kerry and Andrew deserve our patience as well as our constructive criticism and ideas. This kind of structured opportunity truly is rare in the open source world, lets not spoil it.
How did this work on trixbox 2.2.4?
I don't have these files, so commands can't tell me what stuff is sent:
/var/adm/bin/recognition.pl
/usr/sbin/wanrouter
/bin/cat /etc/trixbox/.regData
Where to look for?
[root@asterisk1 /]# crontab -l
no crontab for root
Also, quickly browsing through /etc/cron folders doesn't reveal to me what is started
I believe this phone home feature has been added to 2.3.x.x release I am not sure which one I currently have 2.3.0.4 installed and the phone home feature does not appear to be in this release.
On the issue of Data collection
1. They should have disclosed the fact they had implemented this feature
2. To reduce suspicion as to the purpose of data collection they should have disclosed the exact data they were collecting
3. If they are automating the data collection process is there still any point to requiring a login for tha package manager?
I personally will probably will allow data collection dependant on the full disclosure of what they are collecting and I would need to see a privacy policy.
Kerry,
Thanks for coming forward and explaining even though it was after the "boneheaded" maneuver. I really appreciate the effort put in by you, Andrew and the rest of the CE team. I really appreciate the fact that you have produced /are continuing to produce true business class FREE software. I also realize that this is FREE software and if for any reason I decide that you have drifted to the dark side, I can always unTrix my boxen and move to any combination of Linux, Asterisk, FreePBX that I put together on my own or choose from the myriad ones popping up all around. Through lots of time and research, I have discovered that no one is forcing me to use trixbox CE - I can actually uninstall it and choose not to use it if I want to!!
Having said that, I think a policy of full disclosure on this type of stuff going forward is a necessity. Especially as someone above noted - if we're placing tb in client accounts, we should know what it's doing - especially if it's sending information back to the mothership. With that caveat, I'm more that happy to help support the CE project with this type of information - all you needed to do was ask.
Maybe y'all could create a module/page like the system information page that displays everything and allows checkboxes for what can and cannot be sent. (if it's then discovered that other info is being sent - that would be bad, to quote Dr. Peter Venkman "Human sacrifice, dogs and cats living together - mass hysteria") I think it would be great also to use this information in a nice looking "telephony hardware inventory page" that lists all phones, phone hardware/firmware information and telephony card information to very easily monitor or print up-to-date hardware info.
And, as Greg said above, sharing the installation base info with us would be a great sales tools!
Doug
www.vbcnetworks.com
Yeah, I think tying updates and upgrades to the statistics would be a good idea: "If you want to use our update mechanism, you will have to opt in to statistic collection." Seems reasonable to me. Honestly, the whole issue doesn't bother me so much -- they made a mistake, you called them on it, they admitted it, they apologized, they are taking corrective action. Hopefully this thread will die soon....
Lets be honest here. This is simply a conduit for some people who like to bitch and make a point...so simply bitch and make a point.
They did this to collect hardware information not usage information, yet people still refer to it as usage information. So lets keep to the facts.
They did it to gain funding to help keep Trixbox moving forward and at a fast rate.
Realistically you only have one potential thing to bitch about, and that the funds gained by this information went towards development of functions that made it into the paid version of trixbox and not ce. That is worth getting upset about. Otherwise disable the cron job move on and let Kerry work on more important things.
My 2 cents.
Kerry, to me the issue is not collecting hardware and stats from my system. It's the system connecting, getting a script that could do anything and running it as root and sending back data. Imagine if someone breaks into your system and resets the script to something that formats the system disk in a week. I may opt in to giving you certain data, but not to arbitrary access to my machine.
The way this works should be that if someone opts in a regular package should be installed on the machine that does the data collection you describe and sends a report in. If that script is changed, it should be done though a package update, not not via accessing some arbitrary url. Heck, it didn't even look like this was an encrypted package.
What if someone comprised your dns and people wound up connecting to a shadow version that fed a toxic script to the system. They way this is engineered now is terrible. Use the regular package management tools and deal with script changes via yum updates. The sideways way you are doing it now is unacceptable and will result in everyone opting out.
thx
mike
yes, yes, yes, I think they get it. Again, they have acknowledged the error, they have apologized, and they are correcting it. Let's stop the rehashing and negativity.
Thanks to Rudy and others that have brought this matter to our attention. I'm happy Fonality will address the issue openly and honestly. I am still troubled on where this collected date has gone or sold.
Keith
i sold it... on ebay ;)
Hello, for those of you that don't know my I frequent the tb Pro forums doing support for Fonality, my name is David Kullmann.
Kerry has addressed this in his dev blog:
http://www.trixbox.org/trixboxs-new-hardware-audting-tool
Let us know if you have more unanswered questions!
David J Kullmann
tb Support
When are you going to issue a public security advisory? When are you going to fix the REAL problem with this? I have yet to see anybody from the trixbox camp even acknowledge the fact that the arbitrary command execution is a problem. This shows me a great deal.
http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/0025...
Hello Slashdotters!
http://yro.slashdot.org/article.pl?sid=07/12/16/222243
I completely agree here. The issue isn't stats collection, it's arbitrary command execution. They should use package management for distributing their "script". I will never allow anyone to be able to execute programs running as root on my machines. This is a security diaster waiting to happen. One break-in at fonality and all the trixbox installations out there become redmeat for the hacker community. In fact, now that it's hit slashdot, I bet folks are trying to hack in now.
This whole mechanism needs to be re-architected. Kerry, why in the world would you do it this way?
Thanks,
Mike
I am posting this for people who don't understand the issues at stake:
The problem is that Trixbox developers have installed a script in your crontab to execute arbitrary command on your machine.
The script connects to their web site regularly and check if there are any commands to be executed on your machine, the output is encrypted and sent to trixbox. This is equivalent to a trojan horse program...
I wouldn't mind if they collected benign stats in a clearly defined manner. I DO MIND that they can execute any commands on my box... they don't even authenticate themselves...
The fact that kerryg doesn't understand this is aggravating!!! Kerry should buy some Schneier books and start reading.
I don't care about their intent... if they are compromised then anyone running trixbox will be affected.
We would never provide a mechanism that silently downloads a set of instructions to execute on your system. Regardless of any good intent, the dangers in doing that if someone compromised our server would be immense. We have thought about collecting additional information, but if and when we ever did that, it would be purely on an opt-in basis and it would be there to visibly see. If anyone has any concerns or issues with what we are doing, please bring it up in our FreePBX forum or contact me directly as I will not be following this post but was given a reference to it because of the mention of FreePBX phoning home which it does not do.
Here is at least one other person beside myself who understands the problem :)
Seriously, how dumb do you have to be to have your application download commands to be executed from a "random" location on the Internet? There are so many ways to compromise that and be able to compromise a host running trixbox.
Not only is it unsecured, it seems you developer types don't quite understand why it's a bad thing. Believing that since you own the server/address where the info gets downloaded from makes it secure is so far off track that you might as well give up trying to find your way back.
If you want to collect stats, collect stats. Do it by taking the stats, and posting it to the server. One-way communication from the trixbox machine to your servers. Not the other way around. No two-way communication, unless you've seriously secured it. Otherwise you might as well design a new banner that says "for the love of god, I'm running trixbox, please hack me!". Because that's exactly what's going to happen, sooner or later. My guess is sooner.
md: /usr/sbin/dmidecode
Cmd: /usr/sbin/wanrouter version
Cmd: /usr/sbin/wanrouter hwprobe verbose
Cmd: /usr/sbin/asterisk -V
Does mean Kerry Garrison knows I’m having an VOIP sex with his wife?
I was reading this post until now waiting for my time to respond. I think trixbox/fonalty have more than re-doing the way they collect data... Since the bad is done I think they should now:
- Delete all data collected and don't use it for any purpose;
or
- Publish a report with the data collected for the benefit of all the community;
Regarding to this subject I really don't mind if the collected data was sent only once with my consent as an individual (since I don’t do business with trixbox) and if most of the information collected was in general faction, but I DO mind that they now have information about my phone extensions plan, phone models and mac address. I think despite of the reasons the collected data was too much for the purposes and again I had no chance to say "no" witch I think is very sad.
1) This should be a package (optional) so that the commands run are static on the machine between package updates. This is a small change that would make a number of users much more comfortable.
2) Use perl more. Strip out any dial plan information. Strip out any hostnames and IP addresses. This should be nothing more than a hardware list and counts of extensions, etc. The information collected should be absolutely minimal and any additional information in a new package should be noted in the package description.
3) Log the information. Just to make us feel better, write the information sent out to a file so we can review it as well. That way, we always know what you know and when you know it.
4) Consider making transmission optional. Let us run the script and see the log and THEN determine if we're comfortable with transmitting the data. This is as simple as one line in a config file. This way, we could download the optional package and turn transmission off. When we review what you'd get, we can make a decision about whether or not to let it go.
I think these changes would make significant inroads into moving forward. We cannot go back in time and fix this but we can move forward and act in a way that helps everyone.
The major problem here is not that the system collects data. The problem is an ethical one.
There is an understanding between users and developers. The understanding is often tacit but is nonetheless there. The understanding goes, "I will be executing something you wrote. I do not have the time/ability to check it all, but as professionals, I expect you to behave in a manner befitting that trust."
This is the same understanding patients have with doctors, and clients with lawyers and accountants. Perhaps developers need an equivalent of the Hippocratic oath to "do no harm"?
I am a security professional. I would welcome a public statement of ethics from Fonality detailing what their system of ethics are in terms of development of software.
For the record, installing a script that allowed me to execute arbitrary commands at a client site without the informed and complete consent of my client would be in violation of the statement of ethics that I hold and thus I find myself unable to advocate the installation of Fonality software to my clients at this juncture and will be following this discussion closely to see when that changes.
I said in thew dev blog that we will have a fix by tuesday and we will be following the following procedure:
1. Internal design of a change to how the system works
2. Community review of the proposed changes
3. Implementation of the fix
From looking at the registry.pl file, the URI contacted for the script differs based on the server ID and a config file. It looks like there are three choices for the download URI, one is registry.trixbox.com, but the others are proregistry.trixbox.com, or update.fonality.com.
This sure looks to me like this same process and terrible security architecture is used bt trixbox pro and fonality pbx's as well as trixbox CE.
Does the fonality user base realize how vulnerable they are? How many users put their PBX on a special firewalled network from their corporate users?
Kerry, is it really this bad that all Fonality projects use this same terribly insecure mechanism? If so, why have you not warned them?
I think your user base deserves a reply.
I think your software developer deserves time to present us with a solution, I am sure they are fully aware of the contents of the file.
Its appauling that not only Kerry "the PR Guy" is diverting a huge amount of his time to this thread, but ALSO the dev guys who would normally be busy working on fixing things like this.
this is looking more and more like a medieval inquiry
Pro and PBXtra systems communicate over a VPN not over the open internet.
This is completely ignoring the point. The point is, that it appears that fonality and trixbox pro systems contact a server that YOU run and allow your system to run arbitrary commands as root on these systems without any user knowledge or intervention.
This is a problem regardless of whether not the communication occurs over a VPN or not.
Are you admitting that the same mechanism is used by fonality and trixbox pro as well? Why did you not inform these user communities of their vulnerability?
Do you understand what could happen if a disgruntled employee decides to get even or security breach occurs at your company and all the fonality and trixbox PBX's out here that are inside corporate firewalls begin running programs that mine or attack internal servers across the their internal LAN's?
Why did I have to figure this out by looking at code instead of you guys being transparent?
Please be direct here. Your users deserve to know.
I have been a big trixbox supporter, but this is VERY disappointing to me.
Thx
Mike
I attended an ftocc training for Pro, and a room full of 50 guys were made aware of the fact that Pro transmits certain info over a secure VPN back to the main hosting facility to facilitate updates, support and other HELPFUL things. Somehow that room full of 50 technicians, (some being very knowledgable about linux, applications, and security), 50 sensible people didnt even blink when that was mentioned. Fonality uses this connection to provide these people with FREE ongoing updates and support, I dont think there is any need to evaluate that area since it is completely secured by a VPN, and it is for an honest cause to benifit the users.
This isnt the only software suite that performs these actions, I would be pretty surprised if you have no program on your network that does not do this - that would mean you have no MS windows installations that use automatic updates, are you aware of what that sends over the internet?
a leak at fonality - this can be compared to a leak at the FBI?
you should see the contracts and disclaimers and nda agreements I had to sign just to get into ftocc, i would be afraid of jailtime for breaking those, I would think their employees are under even stricter regulation.
Mike,
I am being very direct and as open as I can possibly be, believe me, I do not want anything I say about this to come back and bite me in the ass later so I am in the process of disclosing everything I possibly can about this.
This is completely ignoring the point. The point is, that it appears that fonality and trixbox pro systems contact a server that YOU run and allow your system to run arbitrary commands as root on these systems without any user knowledge or intervention.
This is one of the big complaints about hybrid hosting in general, we have some level of control over your system and even a bug on our side could hose your operation. All of that is done behind the scenes. And yes, it does contact a system that we run that pushes out commands to the system that runs as root. I have never denied this. "Arbitrary" is semantics, technically yes it could, in practice it is a predefined set of commands that has now been posted in these forums as well as several blogs.
This is a problem regardless of whether not the communication occurs over a VPN or not.
Depends on if you are or are not satisfied with the level of security and encryption used and the safeguards that are in place.
Are you admitting that the same mechanism is used by fonality and trixbox pro as well? Why did you not inform these user communities of their vulnerability?
I cannot admit to it because I am not fully aware of what the differences are in how the auditing works on those systems. I am focusing on the CE community first. The Pro and PBXtra communities already know that we push out code updates and have an automated level of control to their systems. But I don't want to go off-topic here.
Do you understand what could happen if a disgruntled employee decides to get even or security breach occurs at your company and all the fonality and trixbox PBX's out here that are inside corporate firewalls begin running programs that mine or attack internal servers across the their internal LAN's?
Yes. we are aware of that which is why access to those systems is restricted to only two people in the company. Could someone at Verizon mess with your phone records, sure. Could a disgruntled employee at Edison screw with your electricity? Sure. Does this condone it? No. What it does mean ios that we fully understand that and have safeguards in place to prevent it.
Why did I have to figure this out by looking at code instead of you guys being transparent?
Because I screwed up. Do I need to repeat it ad naseum? I had a plan in place to discuss the auditing tool because we knew that it would be an issue and I would rather have dealt with it before hand than dealing with it after the fact like I am doing now. The problem was we released it on the current builds and the announcement wasnt due for another two weeks. This was not a decision to withhold the information, it was a failure to move the date back to discuss it with the community. Big mistake. Second mistake was the script to easily disable it was not finished and pushed out along with the audit tool. I am passing my next public statement around the company for review right now and will post it as soon as we make sure it is as accurate as possible.
Are you crazy? There is a big difference with doing a package update that the user chooses to download and install vs an automatic check that runs programs without user control. Also, for most of the common enterprise software systems that do automatic updates, the update is cryptographically signed, so even if someone hacks the repository, unless the package is signed by the proper key, it will not be downloaded much less installed.
This is just a URI that contains a bunch of commands! It's not signed, it's not checksummed and put into a queue so that it's flagged as an update. There isn't a choice in YUM to update this module, or review it by the local sysadmin before it runs. Heck, it doesn't even get chown'd before running, but runs as root, which doesn't just give it access to the local system, but to anything that system can access across the internal LAN sin ce it's inside the firewall!
This is a HUGE vulnerability, and in a completely different class that Microsoft updates, symantec updates, etc... All of the modest techniques out there for limiting vulnerability were ignored in it's design.
I have worked in enterprise and telecomm systems development for years, and if one of my people ever even proposed something like this in a design review I'd fire him on the spot - it's that obvious. No kidding.
But on top of this all, they choose to disclose this was happening on Trixbox CE, but deliberately NOT tell folks it was also running on Fonality and Trixbox Pro. That goes beyond incompetence into deliberate deception. It's hard for me to imagine how Kerry can say how sorry he was about not notifying people about this script running and that they will be serious learning from that mistake and at the same time deliberately not telling Trixbox Pro and Fonality users that they had exactly the same gaping hole in their systems. Come on!
I am VERY disappointed in the Fonality team.
Member Since:
2007-01-13