Linux-Based Phone System Phones Home

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

Re:So?

[irtza]

Well, I have always found it interesting that people get up in arms over these types of things (with open source software). If people are that pissed, let them maintain their own distribution. I can understand if someone had paid for something that they may be mad about this sort of behavior, but people should be happy that someone has put together a great product for their use. I am running a trixbox at my office and may use this info to disable to call home; however, I have no problem with the company taking this measure. I just can't complain about free software.

eh?

[LingNoi]

So what does it actually do? Let me explain. We are only looking at the number of phones (and types) that are connected to a system.

So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

What's the problem here?

Re:eh?

[arth1]

So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

What's the problem here?

First of all, your claim isn't true. Here's what it currently sends back the output of:

/usr/bin/perl /var/adm/bin/recognition.pl
/bin/uname -r
/bin/rpm -q -a
/sbin/lspci -vn
/usr/sbin/dmidecode
/usr/sbin/wanrouter version
/usr/sbin/wanrouter hwprobe verbose
/usr/sbin/asterisk -V
/bin/cat /etc/redhat-release
/bin/cat /etc/trixbox/trixbox-version
/bin/cat /etc/trixbox/.regData

Note that it sends the registration data on every request. Which means the other data isn't anonymous.

But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.

Re:Stats are useful

[ScrewMaster]

Nah ... it's just that people don't bother to read what's in front of them. Had there been a big blurb during the software install that proclaimed "we collect anonymous usage statistics" nobody would have cared, but because it wasn't made sufficiently obvious people think there's something devious going on.

Re:So?

[syousef]

The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling. ...because of course you have read every word of every screen of every version of every installer you've ever used, and never just glossed over any detail. What's baffling is that comments like this get modded up.

Make your own Linux-based PBX system

[compumike]

We did it ourselves and saved >$100/month for a small business. Just use Asterisk [asterisk.org] (free and open source), buy some inexpensive but full-featured phones like the Grandstream GXP-2000 [grandstream.com] (about $80 each), and get a termination provider like VoicePulse Connect for Asterisk [voicepulse.com] ($11/month for four simultaneous channels, free incoming, and below $0.01/min for most outgoing). It took some work to get it all set up and working properly, but now is actually more reliable than the analog phones ever were. (We had phone company issues every few months... just awful.)

--
Educational microcontroller kits for the digital generation. [nerdkits.com]

Re:and so it begins

[Aetuneo]

So the fact that software installed on Linux will do what it is programmed to do is a reason to migrate away from Linux? I will consider migrating to something else when there are known and exploited holes in the security which allow websites to arbitrarily install software without user permission. Until that, you just have to research what software does to stay safe, or only install software from known and trusted sources. But if you really want to migrate away, don't claim that you are doing it to stay secure: you are doing it because you cannot understand the details of problems, or because you can but just want to move away from Linux, since it is too popular for you.
And please, whatever you do, don't claim that "spyware and other malware" is beginning to show up on Linux - or, if you do want to tell people that, please remember to say that it is stuff which the user has to choose to install, not something which can be installed just be going to an infected website.

Re:So?

[insertwackynamehere]

If it really bothers you this much when usage stats are collected, then you can't really gloss over things like the TOS and EULA... you can't have it both ways.

Um

[Gordo_1]

Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect? I mean, these guys bill you for every call you make, know exactly who you're calling and for how long, have been known to allow just about anyone in law enforcement to wiretap your line for even the flimsiest premise, yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?

Re:Um

[WK2]

Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect ... yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?

It is possible for a person to be unhappy about two different things. And I don't recall anyone saying anything about the phone companies, including whether they were more or less upset about this or that.

Re:an example- not so bad

[syousef]

d; if one can read and discuss Shakespeare or Melville, one can read and discuss that EULA.

Oh and by the way reading Meliville and Shakespeare is called getting an education. It serves a purpose to learn about other times, other places, other language and about heritage. In contrast, reading a EULA is just a complete waste of time. If one does not understand the difference, then one's education has failed one miserably.

Our bias

[Minupla]

OK folks, time to check our bias level here. If Sony installed a script that logged into their website and downloaded a list commands to execute on your system to "collect usage data" would we be impressed? I didn't think so. We were very much up in arms about the Sony Rootkit, and should be about this too.

So if an OSS project does the same why should be any less outraged? Its still a violation of any sort of professional ethics. It doesn't matter that the script is in clear text on the system, who here has the time to go through every script on a new installation of their favorite distribution?

We trust the package suppliers to disclose anything we need to know about. If that trust is breached we call them to task on it.

Well the trust has been breached in this case and the community needs to call the developer to task on it so that it's clear that this sort of behavior is unacceptable. I've read some comments that you're getting it for free. So it would be acceptable for Linus to start including arbitrary command execution backdoors into the kernel?

Remember the Trojan Horse didn't have a price tag attached either!

Min

Additional interesting articles about this issue

[Fnord666]

The folks at nerdvittles.com, an alternative asterisk distro, have weighed in on the subject with a blog post [nerdvittles.com] on how good of an idea this was. They provide a very succinct summary of their position in the following:

This clever software should have been reviewed by senior management before it ever saw the light of day. The episode gives all of us a golden opportunity to stop and think about what we're doing and what our fundamental obligations are to those who use our code. Hopefully, Fonality will turn this BOT off... permanently! The problem, of course, is that it's hard to unring a bell. This BOT is already in the wild. Luckily there's a very quick solution in this case. Here's the command that should be added to tomorrow morning's Fonality script: rm -f /var/adm/bin/registry.pl. We'll all sleep better.

The freePBX team has also commented [freepbx.org] on the issue. In short they want to make it clear that running arbitrary commands sent from the Fonality server is a trixbox/Fonality issue and has nothing to do with freePBX. FreePBX's "phone home" functionality is just a "check for updates" sort of thing.

In the above thread it is mentioned that FreePBX phone's home as well. Instead of splitting hairs over definitions, let me make it perfectly clear what FreePBX does. Most of you are aware of our Online Module Repository that provides easy updates to new versions of FreePBX and its modules (vs. pulling tarballs manually).

Of course if the modules are not digitally signed and verified, then a man in the middle attack is still possible and malicious versions of modules with a little "extra goodness" added could be sent to the pbx for automatic installation.

Re:Um

[Minupla]

Hrm, last time I checked, my phone company was unable to open a tunnel from the internal side of my corporate firewall back to them. Since the script allows them to execute *any* command and most people put their PBX inside their most secure corporate network segment, this would prove to be an issue. Leaving beside for the moment the issues of DNS poisoning, and someone hijacking the script.

Min.