[asterisk-users] allowguest defaults to yes for SIP

Matt Riddell lists at venturevoip.com
Thu Nov 12 17:21:50 CST 2009


On 13/11/09 8:30 AM, SIP wrote:
> Eh... if VoIP fraud weren't so rampant, and I didn't constantly see
> mailings to the Asterisk list about "How do I secure my system from the
> people who've been costing me tons of money lately," I would say that
> having a lax stance on security in exchange for additional usability
> might be a good thing.  But as is, that's simply not the case. The
> 'usability' you get from this is really only questionably essential in
> its ability to save time, but the security one would get from a change
> could save some people actual money -- not just time.

The problem there is normally lax usernames and passwords.  Not that 
there is default access to the echo test.

> As someone who used to design systems and networks, I would vote for
> security over nebulous desire to keep the status quo.

Because you're already using Asterisk.  If it had been too hard at the 
start maybe you wouldn't.

> True, you can't keep stupid people from doing stupid things, but given a
> choice between protecting the ignorant from a bad situation or catering
> to those who want to avoid an extra step or two on installation, I'd
> side with protecting the ignorant every time. There's always a trade-off
> between usability and security, and I'm of the opinion that security is
> the more important of the two when dealing with systems connected to the
> Internet. Call me a cynic. :)

The ignorant won't have changed the default context - they likely won't 
even know how to edit a config file - so they're safe.

-- 
Cheers,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)



More information about the asterisk-users mailing list