[asterisk-biz] Friday @12 PM EST VOIP Users Conference + Aus/NZ/India/Japan conference event
Trixter aka Bret McDanel
trixter at 0xdecafbad.com
Mon Dec 17 10:38:51 CST 2007
On Mon, 2007-12-17 at 17:23 +0100, randulo wrote:
> Hi,
>
> Kerry Garrison from Fonality will be with us live to address the
> Trixbox so-called "phone home" script issue.
The fact that they gather information with a unique cookie set at
install time is not the bigger issue in my opinion.
The fact that they run commands issued from remote without any
verification that the commands came from them (ie use a certificate of
some type to verify identity) is a bigger issue since it lets anyone
with enough skill to dns poison to execute commands on your trixbox.
This not only opens the potential for a zombie box doing nasty stuff but
also opens your phone system to others who may just abuse it for free
calls, may decide to record and relay those recordings elsewhere,
may ...
Self signed certificates are cheap - they are free. It does not take
much to verify the fingerprint of that certificate to ensure that
someone didnt do any of the nasties that could be done. It also sets it
up to be an encrypted connection to avoid MiTM attacks of other types
since it is just plaintext commands that are being executed.
Btw since this has caused confusion in the past, I have never now nor at
any time in the past had any affiliation with trixbox, I had the moniker
trixter before they called themselves trixbox.
--
Trixter http://www.0xdecafbad.com Bret McDanel
Belfast +44 28 9099 6461 US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!
More information about the asterisk-biz
mailing list