Linux-Based Phone System Phones Home

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

Re:eh?

[bcdm]

H'm. Let's count the problems together: 1) They did not inform or ask their members that they would be collecting this information. Even the eeeeeeeeevil Microsoft/Apple/whoever we hate today notifies us that generic data is being collected. People tolerate generic data collecting; they don't tolerate duplicity all that well. 2) The data is encrypted, so there's absolutely no way to tell if what they're saying is true or not. 3) They've been doing this for months without anyone noticing it (and letting others know), and now they're acting surprised that people are upset. So they're either stunned beyond all reason or flat-out liars. Pretty good reasons to be pissed, I'd say.

Re:eh?

[MadCat]

That's about as scary as a hacker getting complete access to the WindowsUpdate.com servers or some popular Linux distribution update servers, right?

Just the fact that the trixbox developers have shown a serious lack of understanding when it comes to security makes it a lot more likely that a hacker can gain access to the webserver that's being hit on by all the installed trixboxes. All you do then is tell it to go download and install some tasty rootkit.

Presto. Instant botnet for some script kiddie to play with.

Even then, suppose some organisation is using trixbox. You know they're using it, because you've managed to ferret that out. Now all you need to do is figure out who supplies their internet connectivity, do some DNS poisoning, and you've just owned yourself their phone system. Which means you can potentially record all incoming and outgoing calls, and use the phone box as a nice jump-off into the rest of the organisation's network. Industrial spy's wet dream right there.

tribox is a bad deal from the getgo

[visionsofmcskill]

some of you might remember that trixbox started out as asterisk@home.

Ive run A@H 1 and 2 and even trixbox... and i must say... ever since KerryG and fonality took full control and essentially "killed" the A@H branding/identity/ethic/attitude the projec has gone seriously downhill.

Ive had run-ins with kerry before... and all ill say in this public forum is that the guy really isnt a positive influence.

The forking of the porject into CE and Commercial versions was only exacerbating the underlying shift towards an essentially exploitive distro. Requiring a internet connection to trixbox in order to configure your own box? requiring a user account on their site to configure what is obstensibly supposed to be open source based projects? Maybe these actions arent WRONG per say... but cetainly the ethics are questionable.

The truth is, ever since it went this way, ive actually decided NOT to upgrade my A@H 1.3 version. The bells and whistles arent really worth it.

Im hoping some other distro, or fork will come along that remains true to the principals they started with.

Its really sad to see, consdiering how excelent the work that went into A@H / trixbox is. These guys have done a wonderfull job packaging several complicated and time-consuming products together into an easy and accesable distro. However... somewhere along the way someone *cough* kerry *cough* fonality *cough* decided to push those efforts into LOCK-IN style profitability.

(theres nothing wrong with getting commercial support pacakges... but forcing people to sign up to your organization and forking a far less than active sub-version on your comomunity is an insult)