[asterisk-biz] PBX got Hacked

SIP sip at arcdiv.com
Tue Mar 10 13:54:05 CDT 2009


Peter Beckman wrote:
> On Tue, 10 Mar 2009, SIP wrote:
>
>   
>> Responsibility? That's a difficult word. Is it irresponsible to build a
>> program without additional security if building in that security is
>> possible?
>>     
>
>   No.  Network and software security is the responsibility of the admin.  If
>   to get the Asterisk Install to work they open the box to the world, then
>   they will likely get a costly lesson in network and system security due to
>   insecure logins to Asterisk.
>
>   Asterisk/Digium is NOT responsible for securing your server -- YOU are.
>   Just like Microsoft is not responsible for keeping spyware and viruses off
>   your computer.
>
> Beckman
>
> PS -- YOU being the server admin, not anyone specifically, in case you were
> feeling singled out, YOU.
>
>   
I was not feeling singled out, but I would like to add that I disagree
with your opinion (but that I respect your right to have a different one
from mine).

Any software developer either knows or SHOULD know about software
security. If he doesn't, he's deluding himself into thinking he's an
actual software developer and not a second-rate code monkey. Software
security is everything from verifying (and cleaning) user inputs to
ensure nothing snaps to, in the case of a networked piece of software,
ensuring that the networked code is not abused.  In something complex
like Asterisk, I imagine they take reasonable care to ensure that it
can't write to locations it's not supposed to write to, that it doesn't
get easily tricked into reading from locations it's not supposed to read
from, and that the data it sends either to local files or via the
network is handled with a certain level of integrity. 

After all, there are incredibly rudimentary ACL controls built into
Asterisk already, so clearly SOMEone thought that a certain level of
security was the purvey of the developers and not to be left to system
admins or crazy, random chance.

Why not build in something stronger if it CAN be done?

As for Microsoft not keeping spyware off your machine... try telling
that to the press that loves to lambast them whenever there's a virus or
bit of spyware that makes it past their rudimentary security. There's a
REASON MS has been beefing up their security in their software. People
don't run software that's commonly accepted to be insecure and full of
possible holes. It's a bit like driving without brakes and no seatbelt.
It works just fine in only extremely limited situations.

If that's the reputation you want for Asterisk, to be lumped in there
with the software people love to joke about because it's both dangerous
and senseless to use, then by all means ignore the idea that any level
of security needs to be included.

However, I will continue to think it's a bad idea.

N.



More information about the asterisk-biz mailing list