On Dec 17, 2007 5:38 PM, Trixter aka Bret McDanel <[EMAIL PROTECTED]> wrote: > The fact that they gather information with a unique cookie set at > install time is not the bigger issue in my opinion.
I don't think there's a site on the net that doesn't do this now nor do I think there's anything insidious done with cookies, except when there's a real intent to attack (via cross-scripting, etc). Some installs take this to a point of hair-pulling rage, such as Adobe and Apple (getting rid of the Quicktime launch is a major PITA as is Adobe's constant wanting you to update). Many, many free programs do this stuff, some less invasively than others. > SNIP > This not only opens the potential for a zombie box doing nasty stuff but > also opens your phone system to others who may just abuse it for free > calls, may decide to record and relay those recordings elsewhere, > SNIP > Self signed certificates are cheap - they are free. It does not take > SNIP I think it would be of interest if people could come to the conference and talk about security issues WRT running asterisk as root, and other ways people can get in and take over a running asterisk install (or any Internet-connected pbx for that matter). What are the risks? As you mention, abuse of your resources and provider time. Making the box a drone for spam networks. Call interception and "tapping". CDR info hijacking? What else? Further, does anyone have any anecdotal info at all regarding random IP scans for asterisk installs? Have you detected port scans on SIP or IAX2 ,or worse the manager port? When the MS SQL Server worm was in the wild, I'd see dozens of those scans daily, maybe even hundreds. > Btw since this has caused confusion in the past, I have never now nor at > any time in the past had any affiliation with trixbox, I had the moniker > trixter before they called themselves trixbox. I always wondered about that! Trix (pronounced tricks) has so many meanings. As in Nixon's dirty tricks, customers of $ex workers, so it's always shaky ground, anyway. Anyway, in conclusion, this thread is about Friday's conference (the Trixbox thi,g is one part of that) and a possible new day and time for an additional Southern Hemisphere edition. All participants are welcome. r _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
