Linux-Based Phone System Phones Home 164
An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.
Re:So? (Score:3, Insightful)
eh? (Score:4, Insightful)
What's the problem here?
Re:eh? (Score:5, Insightful)
First of all, your claim isn't true. Here's what it currently sends back the output of: Note that it sends the registration data on every request. Which means the other data isn't anonymous.
But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.
Re:Stats are useful (Score:5, Insightful)
Re:So? (Score:4, Insightful)
Make your own Linux-based PBX system (Score:5, Insightful)
--
Educational microcontroller kits for the digital generation. [nerdkits.com]
Re:and so it begins (Score:2, Insightful)
And please, whatever you do, don't claim that "spyware and other malware" is beginning to show up on Linux - or, if you do want to tell people that, please remember to say that it is stuff which the user has to choose to install, not something which can be installed just be going to an infected website.
Re:So? (Score:4, Insightful)
Um (Score:4, Insightful)
Re:Um (Score:3, Insightful)
It is possible for a person to be unhappy about two different things. And I don't recall anyone saying anything about the phone companies, including whether they were more or less upset about this or that.
Re:an example- not so bad (Score:3, Insightful)
Oh and by the way reading Meliville and Shakespeare is called getting an education. It serves a purpose to learn about other times, other places, other language and about heritage. In contrast, reading a EULA is just a complete waste of time. If one does not understand the difference, then one's education has failed one miserably.
Our bias (Score:3, Insightful)
So if an OSS project does the same why should be any less outraged? Its still a violation of any sort of professional ethics. It doesn't matter that the script is in clear text on the system, who here has the time to go through every script on a new installation of their favorite distribution?
We trust the package suppliers to disclose anything we need to know about. If that trust is breached we call them to task on it.
Well the trust has been breached in this case and the community needs to call the developer to task on it so that it's clear that this sort of behavior is unacceptable. I've read some comments that you're getting it for free. So it would be acceptable for Linus to start including arbitrary command execution backdoors into the kernel?
Remember the Trojan Horse didn't have a price tag attached either!
Min
Additional interesting articles about this issue (Score:3, Insightful)
The freePBX team has also commented [freepbx.org] on the issue. In short they want to make it clear that running arbitrary commands sent from the Fonality server is a trixbox/Fonality issue and has nothing to do with freePBX. FreePBX's "phone home" functionality is just a "check for updates" sort of thing. Of course if the modules are not digitally signed and verified, then a man in the middle attack is still possible and malicious versions of modules with a little "extra goodness" added could be sent to the pbx for automatic installation.
Re:Um (Score:4, Insightful)
Min.