[asterisk-biz] Friday @12 PM EST VOIP Users Conference + Aus/NZ/India/Japan conference event

randulo spamsucks2005 at gmail.com
Tue Dec 18 04:34:18 CST 2007 

On Dec 17, 2007 5:38 PM, Trixter aka Bret McDanel
<trixter at 0xdecafbad.com> wrote:
> The fact that they gather information with a unique cookie set at
> install time is not the bigger issue in my opinion.

I don't think there's a site on the net that doesn't do this now nor
do I think there's anything insidious done with cookies, except when
there's a real intent to attack (via cross-scripting, etc). Some
installs take this to a point of hair-pulling rage, such as Adobe and
Apple (getting rid of the Quicktime launch is a major PITA as is
Adobe's constant wanting you to update). Many, many free programs do
this stuff, some less invasively than others.

> SNIP

> This not only opens the potential for a zombie box doing nasty stuff but
> also opens your phone system to others who may just abuse it for free
> calls, may decide to record and relay those recordings elsewhere,
> SNIP
> Self signed certificates are cheap - they are free.  It does not take
> SNIP

I think it would be of interest if people could come to the conference
and talk about security issues WRT running asterisk as root,
and other ways people can get in and take over a running asterisk
install (or any Internet-connected pbx for that matter).

What are the risks? As you mention, abuse of your resources and
provider time. Making the box a drone for spam networks. Call
interception and "tapping". CDR info hijacking? What else?

Further, does anyone have any anecdotal info at all regarding random
IP scans for asterisk installs? Have you detected port scans on SIP or
IAX2 ,or worse the manager port? When the MS SQL Server worm was in
the wild, I'd see dozens of those scans daily, maybe even hundreds.

> Btw since this has caused confusion in the past, I have never now nor at
> any time in the past had any affiliation with trixbox, I had the moniker
> trixter before they called themselves trixbox.

I always wondered about that! Trix (pronounced tricks) has so many
meanings. As in Nixon's dirty tricks, customers of $ex workers, so
it's always shaky ground, anyway.

Anyway, in conclusion, this thread is about Friday's conference (the
Trixbox thi,g is one part of that) and a possible new day and time for
an additional Southern Hemisphere edition. All participants are
welcome.

r

More information about the asterisk-biz mailing list