Category: Networking

Knock Three Times: Pain-Free Remote Access to Your Asterisk or Linux Server

No. We’re not going to make you relive the 1970′s with us today although now you can listen to this Number 1 Hit and a million others for free with Amazon’s new Prime Music. No, we don’t get a commission if you sign up for Amazon Prime. Yes, we make millions when you buy something from Amazon using our links. Thank you! What we have for you today is a Number 1 Utility, and it works on virtually any Linux platform. If your fraternity or sorority had a secret knock to gain access, then you already know the basic concept. Port Knocker (aka knockd) from Judd Vinet is a terrific utility that runs as a daemon on your server and does just what you’d expect. It listens for knocks. When it detects three knocks on the correct three ports in the proper sequence and from the same IP address, it opens the IPtables Linux Firewall for remote access from that IP address to your server for a predefined period of time. This would allow you to log into your server with SSH or make SIP phone calls using a softphone registered to your remote Asterisk® server. What makes Port Knocker especially useful is the existence of knocking clients for virtually any smartphone, tablet, or desktop computer. For the Travelin’ Man, it’s another must have utility.

We introduced a turnkey implementation of Port Knocker in Incredible PBX for Ubuntu 14 late last week. If you were a pioneer earlier in the week, go back and install it again to take advantage of Port Knocker. Or better yet, follow along and we’ll show you how to install it on your own RedHat/CentOS or Ubuntu/Debian server in just a couple of minutes.

Prerequisites. We’ve built open source installation scripts for both the RedHat/CentOS platform as well as the Ubuntu/Debian operating systems. These knockd installers assume that you have a fully functional and locked down IPtables firewall with an existing WhiteList of authorized users. We’d recommend Travelin’ Man 3 if you need to deploy this technology and haven’t done so already. Last week’s Incredible PBX for Ubuntu 14 already includes Travelin’ Man 3 whitelisting technology. Read the article for full details.

Today’s knockd installers are fairly generic but, if you’re running a version of CentOS earlier than 6.x or Ubuntu earlier than 14 or Debian.anything, be advised that we haven’t tested these installers on those platforms so you’re on your own. Finally, if your server is sitting behind a hardware-based firewall (as we ALWAYS recommend), then you’ll also need to map three TCP ports from your hardware-based firewall to your server so that legitimate “knocks” can find their way to your server. These ports need not be opened in your IPtables firewall configuration! We’re just knocking, not entering. :-)

Overview. As configured, today’s installation scripts will install and preconfigure knockd to load automatically when you boot up your server. Three random TCP ports will be assigned for your server, and this port sequence is what remote users will need to have in order to gain access. Yes, you can change almost everything. How secure is it? Well, we’re randomizing the 3-port knock sequence using over 3,900 ports so you can do the math to figure out the odds of a bad guy guessing the correct sequence. HINT: 3900 x 3900 x 3900. Keep in mind that these “knocks” must all be received from the same IP address within a 15-second window. So sleep well but treat the port sequence just as if it were a password. It is! Once a successful knock sequence has been received, the default Port Knocker configuration will open all ports on your server for remote access from the knocking IP address for a period of one hour. During this time, “The Knocker” can log in using SSH or make SIP calls using trunks or extensions on the server. Port Knocker does not alleviate the need to have legitimate credentials to log into your server. It merely opens the door so that you can use them. At the bewitching (end of the) hour, all ports will be closed for this IP address unless “The Knocker” adds a whitelist entry for the IP address to IPtables during the open period. Yes, all of this can be modified to meet your individual requirements. For example, the setup could limit the range of ports available to “The Knocker.” Or the setup could leave the ports open indefinitely until another series of knocks were received telling knockd to close the IPtables connection. Or perhaps you would want to leave the ports open for a full day or a week instead of an hour. We’ll show you how to modify all of the settings.

Server Installation. To get started, log into your server as root and download and run the appropriate installer for your operating system platform.

For RedHat/Fedora/CentOS/ScientificLinux servers, issue the following commands:

cd /root
wget http://nerdvittles.com/wp-content/knock-R.tar.gz
tar zxvf knock*
rm knock-R.tar.gz
./knock*

For Ubuntu/Debian servers, issue the following commands:

cd /root
wget http://nerdvittles.com/wp-content/knock-U.tar.gz
tar zxvf knock*
rm knock-U.tar.gz
./knock*

For ARM-based servers, issue the following commands:

cd /root
wget http://nerdvittles.com/wp-content/knock-ARM.tar.gz
tar zxvf knock*
rm knock-ARM.tar.gz
./knock*

Server Navigation Guide. On both the RedHat/CentOS/Fedora and Ubuntu/Debian platforms, the knockd configuration is managed in /etc/knockd.conf. Before making changes, always shutdown knockd. Then make your changes. Then restart knockd. On RedHat systems, use service knockd stop and start. On Ubuntu, use /etc/init.d/knockd stop and start. By default, knockd monitors activity on eth0. If your setup is different, on Ubuntu, you’ll need to change the port in /etc/default/knockd: KNOCKD_OPTS="-i wlan0". On RedHat, the config file to modify is /etc/sysconfig/knockd.

In /etc/knockd.conf, create an additional context to either start or stop an activity. It can also be used do both as shown in the example code above. More examples here. There’s no reason these activities have to be limited to opening and closing the IPtables firewall ports. You could also use a knock sequence to turn on home lighting or a sprinkler system with the proper software on your server.

To change the knock ports, edit sequence. Both tcp and udp ports are supported. seq_timeout is the number of seconds knockd waits for the complete knock sequence before discarding what it’s already received. We’ve had better luck on more servers setting tcpflags=syn. start_command is the command to be executed when the sequence matches. cmd_timeout and stop_command tell knockd what to do after a certain number of seconds have elapsed since the start_command was initiated. If you’re only starting or stopping some activity (rather than both), use command instead of start_command and stop_command to specify the activity.

IPtables 101. The default setup gives complete server access to anyone that gets the knock right. That doesn’t mean they get in. In the PIAF World, it means they get rights equivalent to what someone else on your LAN would have, i.e. they can attempt to log in or they can use a browser to access FreePBX® provided they know the server’s root or FreePBX credentials.

If you would prefer to limit access to a single port or just a few ports, you can modify command or start_command and stop_command. Here are a few examples to get you started.

To open SSH access (TCP port 22):

/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

To close SSH access (TCP port 22):

/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

To open a range of SIP ports (UDP 5060 to 5069):

/sbin/iptables -A INPUT -s %IP% -p udp --dport 5060:5069 -j ACCEPT

To close a range of SIP ports (UDP 5060 to 5069):

/sbin/iptables -D INPUT -s %IP% -p udp --dport 5060:5069 -j ACCEPT

Here’s a gotcha to be aware of. If you’re using the Travelin’ Man 3 WhiteList setup on your server, be especially careful in crafting your IPtables rules so that you don’t accidentally remove an existing Travelin’ Man 3 rule in closing some port with knockd. You will note that the syntax of the knockd commands is intentionally a bit different than what you will find in your Travelin’ Man 3 setup. This avoids clobbering something accidentally.

Monitoring Activity. Here are the two best tools to monitor knockd activity to make certain your setup is performing as expected. The knockd log (/var/log/knockd.log) will tell you when a knocking attempt has occurred and whether it was successful:
[2014-07-06 14:44] starting up, listening on eth0
[2014-07-06 15:29] 79.299.148.11: opencloseSSH: Stage 1
[2014-07-06 15:29] 79.299.148.11: opencloseSSH: Stage 2
[2014-07-06 15:29] 79.299.148.11: opencloseSSH: Stage 3
[2014-07-06 15:29] 79.299.148.11: opencloseSSH: OPEN SESAME
[2014-07-06 15:29] opencloseSSH: running command: /sbin/iptables -A INPUT -s 79.299.148.11 -p tcp --dport 22 -j ACCEPT

Next, verify that the IPtables command did what it was supposed to do. iptables -nL will tell you whether port 22 access was, in fact, enabled for 79.299.148.11. The entry will appear just above the closing Chain entries in the listing:

ACCEPT     tcp  --  79.299.148.11         0.0.0.0/0           tcp dpt:22

Two things typically can go wrong. Either the knock from a client computer or cellphone wasn’t successful (knockd.log will tell you that) or IPtables didn’t open the port(s) requested in your knockd command (the iptables -nL query will show you that). In the latter case, it’s usually a syntax error in your knockd command.

Port Knocker Clients. The idea behind Port Knocker is to make remote access easy both for system administrators and end-users. From the end-user perspective, the simplest way to do that is to load an app on the end-user’s smartphone so that even a monkey could push a button to gain remote access to a server. If the end-user’s cellphone has WiFi connectivity sitting behind a firewall in a hotel somewhere, then executing a port knock from the smartphone should open up connectivity for any other devices in the hotel room including any notebook computers and tablets. All the devices typically will have the same public IP address, and this is the IP address that will be enabled with a successful knock from the smartphone.

Gotta love Apple’s search engine. Google, they’re not…

There actually are numerous port knocking clients for both Android and iOS devices. Here are two that we’ve tested that work: PortKnock for the iPhone and iPad is 99¢ and PortKnocker for Android is free. Some clients work better than others, and some don’t work at all or work only once. DroidKnocker always worked great the first time. Then it wouldn’t work again until the smartphone was restarted. KnockOnD for the iPhone, which is free, worked fine with our office-based server but wouldn’t work at all with a cloud-based server at RentPBX. With all the clients, we had better results particularly with cloud-based servers by changing the time between knocks to 200 milliseconds. How and when the three knocks are sent seems to matter! Of all the clients on all the platforms, PortKnocker was the least temperamental and offered the most consistent results. And you can’t beat the price. A typical setup is to specify the address of the server and the 3 ports to be knocked. Make sure you have set the correct UDP/TCP option for each of the three knocks (the default setup uses 3 TCP ports), and make sure the IP address or FQDN for your server is correct.

Another alternative is to use nmap to send the knocks from a remote computer. The knock.FAQ file in your server’s /root directory will tell you the proper commands to send to successfully execute a connection with your server’s default Port Knocker setup. Enjoy!

Originally published: Monday, July 7, 2014


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Top 3 Asterisk Security Tips for 2014: WhiteLists, WhiteLists, and WhiteLists

We’ve devoted a lot of energy to Asterisk security over the years with our Primer on Avoiding the $100,000 Phone Bill and our 20 Failsafe Tips and our SIP Navigation Guide plus numerous tutorials on deployment of Virtual Private Networks to secure your servers and phones including NeoRouter, PPTP, and Easy OpenVPN among others. But, when it comes to ease of installation and use with rock-solid security, nothing comes close to deployment of WhiteLists with the IPtables Linux firewall that’s included at no cost with every major Linux distribution and with all of the Asterisk® aggregations including PBX in a Flash™ and Incredible PBX™. So we’re kicking off the summer with a careful look at the methodology behind IPtables and the Travelin’ Man™ tools developed to reduce the learning curve for new users.

Security, of course, is all about the “bundle of sticks.” As we learned from Aesop’s Fables, the more sticks you bundle together, the more difficult it is to break the stick. We are by no means advocating that you drop all of the other tools at your disposal to improve the security of your Asterisk security. So, before we dive into WhiteLists, let’s spend a little time covering some of the other tools that are available and why those tools should not be relied upon exclusively.

1. Hardware-based Firewall. The PBX in a Flash project has cautioned users for years not to run Asterisk-based servers connected to the Internet without a hardware-based firewall between your server and the public Internet. Is it failsafe? No. Some hardware-based firewalls have been compromised either by the bad guys or by the NSA. Pardon the redundancy. The other problem with hardware-based firewalls is that they’re generally not available with cloud-based solutions. As the price of cloud computing has dropped and the cost and headaches of maintaining your own hardware has increased, more and more folks are considering cloud-based alternatives. Yes. Hardware-based firewalls should be deployed whenever possible. No. They won’t resolve all security concerns.

2. Fail2Ban. Once upon a time, a number of us thought that Fail2Ban was the answer to all security issues with Asterisk-based servers. In a nutshell, Fail2Ban scans your logs searching for failed attempts to log in to either SSH, FTP, Apache, SIP, or an email account. After a small number of failed attempts, Fail2Ban blocks further access from the IP address initiating the requests. There are two problems with Fail2Ban. First, software developers of the affected services continue to “improve” things with new and different error messages when login failures occur. Since Fail2Ban is searching for specific word matches to identify unsuccessful logins, the whole security mechanism fails when the “magic words” change unless everyone is extremely vigilant in maintaining the “magic word” lists AND updating the Fail2Ban rules on all of your servers. Our experience suggests that the bad guys find the new “magic words” long before everyone else which means there are gaping holes in Fail2Ban regularly. The other problem is supercomputers such as Amazon EC2 which makes enormous computing resources available to every Tom, Dick, and Harry. We’re mostly worried about the Dick that can hammer your little server every second with hundreds of thousands of attempts to crack your SIP or SSH passwords. The problem this poses is that most Linux servers never allocate a sufficient time slice to Fail2Ban to scan your Asterisk, Apache, and SendMail logs. Instead of blocking a bad guy after 3 failed login attempts, a bad guy using EC2 may be able to perform several hundred thousand login attempts before Fail2Ban ever detects a problem. Yes. Fail2Ban helps against the bad guy manually keying in passwords. No. Fail2Ban is all but worthless against a sophisticated denial of service attack on your server.

3. Virtual Private Networks. The beauty of virtual private networks (VPNs) is that all of your Internet traffic is encrypted and tunneled through private IP addresses that others can’t intercept. That was the theory until Edward Snowden came along and spoiled the NSA’s party. Yes. We’ve known that PPTP VPNs were vulnerable for a good long while. No. We didn’t know that the NSA (and presumably others) may have had the keys to your castle much longer… regardless of the VPN topology you may be using. The other problem with VPNs is that you need VPN connections for every device connecting to your server. Unfortunately, VPN technology is only available on a small number of SIP telephones, and the supported OpenVPN topology is one of the more difficult VPNs to deploy on a Linux server. Are VPNs better than nothing? Absolutely. Does a VPN provide failsafe communications security over the open Internet? Probably not.

4. Nothing Beats Secure Passwords. Amen. There was a time when some Asterisk-based servers were routinely set up with extension passwords of 1234 or the extension number itself. And outbound SIP trunks were deployed with no dialing rules. And administrators opened accounts with SIP providers with automatic credit card replenishment whenever the accounts ran out of money to cover calls. And no safeguards were put in place to restrict international calling. Little did these folks know that registering to a SIP extension on an Asterisk server provided a blank check for making unlimited calls to anywhere on the planet. Thus was born the $100,000 phone bill. Yes. Nothing Beats Secure Passwords for root, for SIP accounts, and for SIP and IAX trunks connected to commercial providers. But you also need to implement dialing rules for outbound calls that allow your callers to reach only the destinations desired, not the world. And your accounts with providers should always include limits and restrictions on international calls and should never include automatic credit card replenishment.

5. BlackLists. There was a time when blacklisting IP addresses was believed to be the ultimate solution to Internet security problems. Sounds great, doesn’t it? Just set up a database with the IP addresses of all the bad guys in the world, and all our problems will be solved. Problem #1: A new bad guy is born every minute. Problem #2: The bad guys learned how to use VPNs and other random IP address masquerading sites to disguise their true identity. Problem #3: Security vulnerabilities in many Windows-based machines allowed the bad guys to take control of these computers and do their dirty work from there. Problem #4: There are actually some good guys that live in Russia and China. Problem #5: The bad guys learned to poison the “bad guy list” to block essential services such as DNS, Google, Amazon, Netflix, Pandora, and your favorite bank and credit card companies. Yes. The theory of blacklists sounded great. No. Blacklists not only don’t work. They’re downright dangerous.

WhiteLists with IPtables: The Knight in Shining Armor

For the past few years, our Internet security focus has turned toward defining a methodology that works with all PBX in a Flash and Incredible PBX servers, whether they’re dedicated servers behind a hardware-based firewall or public on a cloud-based shared host. And the conclusion we’ve reached is that nothing beats the IPtables Linux firewall for rock-solid Internet security. The reason is its deep integration into the Linux kernel itself through Netfilter, “a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.” Wikipedia provides an excellent overview for those with an interest. For our purposes, suffice it to say that IPtables examines inbound and outbound packets before any further processing occurs on your server. With our default setup, we typically allow all outbound traffic from your server. For inbound traffic, if the iptables rules permit access, the packet comes in for processing. If not, the packet dies at the door with no acknowledgement that it was even received. In laymen’s terms, if someone attempts to scan your server to determine whether web or SIP services are available, there will be no response at all unless packets from the scanning server’s IP address are permitted in the iptables rules configured on your server. You can determine which rules are in force with this command: iptables -nL.

The basic configuration and syntax of iptables rules can be daunting to those unfamiliar with the territory. And thus was born Travelin’ Man 3, our open source tool to simplify configuration of IPtables by allowing administrators to define WhiteList entries describing the types of services that were allowed access to a server from specified external IP addresses. The basic rules of the Travelin’ Man 3 setup for iptables are these: (1) outbound packets are unrestricted, (2) forwarded, established, and related packets are permitted, (3) inbound packets from the private LAN are unrestricted, but (4) inbound packets from the public Internet are dropped unless permitted by a specific iptables rule. Those rules include certain basic services such as time synchronization (TCP 123) as well as WhiteListed IP address entries for specific or generic services.

Installation is easy. Log into your PBX in a Flash as root and issue the following commands. NOTE: Travelin’ Man 3 is optionally available as part of Incredible PBX installs on the CentOS, Scientific Linux, and PIAF OS platforms. It is preinstalled on the Raspberry Pi and BeagleBone Black platforms with RasPBX. You can determine if it’s already installed on your server with this command: ls /root/secure-iptables. If the script exists, you’ve already got Travelin’ Man installed, but it may not be running so keep reading…

cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables

Because PBX in a Flash and Incredible PBX servers are primarily designed to support telephony, Travelin’ Man 3 further simplifies the iptables setup by whitelisting the IP addresses of a number of the leading VoIP providers. These include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. For the complete list: cat /etc/sysconfig/iptables (CentOS) or cat /etc/network/iptables (RasPBX).

The real beauty of Travelin’ Man 3 is you aren’t limited to our WhiteList. You can add your own entries easily using the TM3 scripts that are included in the /root directory. secure-iptables initializes your iptables setup and also lets you define a primary IP address or fully-qualified domain name (FQDN) that will always have access to your server. You must run this script at least once to activate IPtables on all platforms!

Once you have run secure-iptables, you can whitelist additional IP addresses by running add-ip. You can whitelist additional FQDNs by running add-fqdn. You can delete either IP addresses or FQDNs by running del-acct. As noted previously, you can check what’s authorized with the command: iptables -nL.

We’ve also included a custom script to restart IPtables gracefully: iptables-restart. The reason is because using the traditional restarting mechanism in IPtables will leave your server vulnerable (and IPtables inoperative) if a particular FQDN cannot be resolved. The iptables-restart script takes another approach and removes the offending rule from your whitelist, alerts you to the problem, and then restarts iptables without the offending entry. So all existing rules are put back in place and function as you would expect.

Finally, Travelin’ Man 3 includes a script that allows you to utilize FQDNs for users that may have ever-changing dynamic IP addresses. Steps #4, #5, and #6 in the original Travelin’ Man 3 tutorial will walk you through the Administrator set up which only takes a minute or two and never has to be touched again. Basically, a cron job script is employed to check for changes in the dynamic IP addresses you have identified with FQDNs. If changes are found, IPtables is restarted which updates the IP addresses accordingly.

Unfortunately, there was one group of end-users that weren’t covered by the Travelin’ Man 3 setup. This group included traveling salespeople or vacationing individuals that may land in a different city every night. Rather than relying upon an administrator to provide access to home base, these frequent travelers needed their own tool to manage their IP address as it changed. While this was supported through a web interface in Travelin’ Man 2, that setup exposed your web server to the public Internet and was burdensome for administrators to initially configure. Most importantly, it didn’t manage remote IP address access using IPtables which made coexistence with TM3 difficult. Thus was born Travelin’ Man 4.

Introducing Travelin’ Man 4: Managing WhiteList Access by Telephone

Travelin’ Man 4 is a new add-on for an existing Travelin’ Man 3 setup. It’s for those that wish to allow traveling individuals to manage their own whitelist access to PBX in a Flash or Incredible PBX using a telephone. An Administrator preconfigures accounts and passwords for the travelers together with the services to which they will have access on the server. Using any cellphone or hotel phone, the traveler simply dials a preconfigured number to access an IVR that will prompt the user for an account number and PIN. Unless you have a spare DID, you can grab a free one from IPkall.com to use with your Travelin’ Man 4 IVR. Once a user is successfully logged in, the IVR will prompt for the user’s IP address to be whitelisted on the server. Enter it using this format: 12*34*56*78.

Within a couple minutes, the new IP address will be properly formatted and then whitelisted in IPtables, and the traveler will be sent an email acknowledging that the account has been activated. Once the account is activated, the traveler can use a SIP softphone application such as Zoiper on any iPhone or Android phone or a softphone on any desktop computer to place and receive calls as well as to check voicemail on the remote PBX in a Flash server. For anyone that doesn’t know their current IP address, a quick visit to WhatIsMyIP.com will tell you. Travelin’ Man 4 is licensed under GPL2 so download a free copy. Then read the tutorial and give it a whirl. Enjoy!

Originally published: Wednesday, May 21, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

FMC: The Future of Telephony with Vitelity’s vMobile and Asterisk in the Cloud




If making phone calls from a web browser is what you’ve always longed for, then you’re in good company with Google and its future direction in the telephony space. Call us old fashioned but this strikes us as a solution in desperate need of a problem. What’s wrong with a Plain Old Telephone or a smartphone for making connections with friends and business associates? The real head scratcher is the fact that the WebRTC and Hangouts push demonstrates that the wizards at Google are seriously out of touch with the next generation. Will our 14-year-old daughter use Skype or Hangouts or FaceTime? Sure. About once a month to chat with Grandma or to interact with cousins scattered around the country, it’s a terrific option. And the same is true in the business community. When you need to collaborate with a half dozen colleagues, conferencing applications are invaluable. But to meet 95% of day in and day out business requirements, a telephone or smartphone is the clear device of choice. So join us today in celebrating the end of Google Voice XMPP service and the beginning of a new and even more exciting VoIP era… sans Google.


Of course, if it were up to the next generation, telephone calls might completely disappear in favor of text messaging, Snapchat, Instagram, and any other platform that includes recorded photos or videos. Note the subtle difference. Kids really are not interested in live video interaction. They find posed images that tell a story much more appealing. Why? Because recorded photos and videos let users present their best face, their movie star pose, and their expression of what they want others to perceive they’re really like. In short, live video is too much like real life. Our conclusion for those targeting the next generation is you’d better come up with something better and quite different than Skype, Hangouts, and FaceTime.

It’s Fixed-Mobile Convergence, Stupid!

Now let’s return to our primary focus for today, the current business community. Suffice it to say, there are a dwindling number of what we used to call “desk jobs” where an employee arrives at his or her desk at 9 a.m. and leaves at 5 p.m. As more and more jobs are headed off shore, the telephone and smartphone have replaced the corporate desk as the most indispensable corporate fixture. Particularly in the American marketplace, what we see with most businesses is a management layer and an (upwardly) mobile force of salespeople, consultants, and implementers that interact primarily through PBXs in an office headquarters or home office together with smartphones for those that generally are on the road. Many of these Road Warriors don’t even have a home phone any longer.


The telephony Holy Grail for this new business model is Fixed-Mobile Convergence (FMC). It’s the ability to transparently move from place to place while retaining your corporate identity. Every employee from the night watchman in Miami to the salesperson making calls from a Starbucks in California to the CEO in New York has an extension on a PBX in the cloud together with the ability to accept and place calls using the company’s CallerID name and number, transfer calls, and participate in conference calls regardless of whether the phone instrument happens to be a desktop phone or a smartphone. Is this even possible? Well, as of last week, the answer is ABSOLUTELY.

Vitelity has been a long-time corporate sponsor of both the Nerd Vittles and PBX in a Flash open source projects so we were thrilled when we were offered a free, Samsung Galaxy S III to try out the new (live) vMobile service that took Best in Show honors at ITEXPO Miami in January. As Vitelity’s Chris Brown would probably tell you, it’s one thing to demonstrate a new technology at a trade show and quite another to bring it into production. But Vitelity did it:

What we want to stress up front is that we’ve received no special treatment in getting this to work. We received the phone, opened a support ticket to register the phone on Vitelity’s vMobile network, and plugged our new credentials into the phone so that it could be integrated into our PBX in a Flash server. Once the smartphone became an extension on our PBX, we could place calls through our PBX with the S3 using both WiFi and Sprint 3G/4G service. Switching between WiFi and cellular is totally transparent. The CallerID for all outbound calls was our standard PBX CallerID. We also could place calls to other extensions on the PBX by dialing a 4-digit extension while connected to WiFi or the Sprint network virtually anywhere. If you have 3-digit extensions, those are a problem over the Sprint network but we’ll show you a little trick to get them working as well.

Keep in mind that every call from the S3 goes out through the PBX just as if you were using a standard desktop phone as a hardwired extension. And it really doesn’t matter whether the S3 has a WiFi connection or a pure cellular connection on Sprint’s network. You receive calls on the S3 in much the same way. It’s just another extension on your PBX. If you want to add it to a ring group to process incoming calls, that works. If other users on your PBX wish to call the S3 directly using the extension number, that works as well. If you want to transfer a call, pressing ## on the S3 initiates the transfer just as if you were using a phone on your desk. When we say transparent convergence, we really do mean transparent. No recipient of a call from the vMobile S3 would have any idea whether you were sitting at a desk in the corporate headquarters in New York or in a seat on a Delta jet after landing in San Francisco. Both the call quality and the corporate CallerID would be identical. And your secretary on maternity leave at Grandma’s house still could reach you using her vMobile S3 by simply dialing your corporate extension.

So that’s the Fortune 500 view of the new VoIP universe. How about the little guy with a $15 a month PBX in a Flash server in the RentPBX cloud1, a couple mobile sales people, and a handful of construction workers that build swimming pools for a living? It works identically. Each has an S3 connected as an extension on the PIAF cloud server. And calls can be managed in exactly the same way they would be handled if everyone were sitting side-by-side at desks in an office headquarters somewhere. The silver lining of cloud computing is that it serves as the Great Equalizer between SOHO businesses and Fortune 500 companies. Asterisk® paired with inexpensive cloud hosting services such as RentPBX lets you mimic the Big Boys for pennies on the dollar. We think Vitelity has hit a bases loaded, home run with vMobile.


vMobile Pricing

We know what you’re thinking. “Since you got yours for free, what does it really cost??” The Galaxy S3 (or S4) is proprietary running Trebuchet 1.0, a (rooted) CyanogenMod version of Android’s KitKat. You can purchase these devices directly from the Vitelity Store. Currently, you can’t bring your own device. The refurbished S3 is $189 including warranty. Works perfectly! That’s what we’re using. Next, you’ll need a vMobile account for each phone. Unless you’re a Nerd Vittles reader, it’s $9.95 per month. That gets you free WiFi calling and data usage anywhere you can find an available WiFi hotspot. And text messaging is free. For calls and data using Sprint’s nationwide network, the calls are 2¢ a minute and the data is 2¢ per megabyte ($20 per gigabyte). For us, a typical day of data usage with an email account and light web use costs about a quarter. YMMV! So long as you configure Android to download application updates when connected to WiFi, data usage should not be a problem unless you’re into photos and streaming video. Android includes excellent tools for monitoring and even curbing your data usage if this is a concern.

vMobile Gotchas

Before we walk you through the setup process, let’s cover the gotchas. The list is short. First, we don’t recommend connecting vMobile devices to a PBX sitting behind a NAT-based firewall, or you may end up with some calls missing audio. The reason is NAT and quirky residential routers. If you think about it, when your S3 is inside the firewall and connected to WiFi, it will have an IP address on your private LAN just like your Asterisk server. When your S3 is outside your firewall on either a cellular connection or someone else’s WiFi network, it will have an IP address that is not on your private LAN. Others may be smarter than we are, but we couldn’t figure a way to have connections work reliably in both scenarios using most residential routers. You can configure your S3′s PBX extension for NAT=No or NAT=yes, but you can’t tell Asterisk how to change it depending upon where you are. One simple solution is to deploy these phones with a VPN connection to your Asterisk server sitting behind a NAT-based firewall. The more reliable solution is to build your PBX in a Flash server in the cloud with no NAT-based firewall. Then use an IPtables WhiteList (aka Travelin’ Man 3) to protect your server. From there, you can either interconnect the cloud-based server with a second PBX behind your firewall, or you can dispense with the local PBX entirely. Either way will eliminate the NAT issues with missing audio. In both cases, use NAT=yes for the vMobile extension.

Another wrinkle involves text messaging. Traditional text messages work fine; however, MMS still is problematic unless you initiate the outbound MMS session with the other recipient. It’s probably worth noting that Google Voice never got MMS working at all despite years of promises. This wasn’t a deal breaker for us, but it’s a bug that still is being worked on.

Finally, there’s Sprint. You either love ‘em or hate ‘em. We really haven’t used Sprint service in about eight years. In the Charleston area, the barely 3G service still is just as lousy as it was eight years ago. But, if you live in an area with good Sprint coverage and performance, this shouldn’t be an issue for you. And vMobile works fine in Charleston. You just won’t be surfing the web very often unless you have hours to kill… waiting. Additionally, dialing numbers with less than 4 numbers is a non-starter with Sprint, but we’ll show you a simple workaround to reach 3-digit local extensions from your vMobile device below.

With a service as revolutionary as vMobile with Sprint’s new FMC architecture, we can’t help thinking there may be other cellular carriers with an interest in deploying this technology sooner rather than later. But, given the vMobile feature set, Sprint is good enough for now especially when WiFi connectivity is available almost everywhere.




vMobile Configuration at Vitelity

For the Vitelity side of the setup, you first configure your smartphone using the (included) My Phone app. When the application is run, your cellphone number will be shown. Tapping the display about a dozen times will cause the phone’s setup to be reconfigured. Vitelity will provide you the secret key to activate your account. Next, you’ll log into the Vitelity portal and choose vMobile -> My Devices under My Products and Services. The account for your vMobile device will already exist. Clicking on the pull-down menu beside your vMobile device will let you create your SIP account on Vitelity’s server. Enter the IP address or FQDN of your Asterisk server and set up a very secure password. Your username will be the 10-digit phone number assigned to your vMobile phone. Save your settings and then choose the Edit option to view your setup. The portal will display your Username, Password, and FreePBX/Asterisk Connect Host name. Write them down for use when you configure your new extension using FreePBX®.




vMobile Configuration for Asterisk and PBX in a Flash

On the PBX in a Flash server, use a browser to open FreePBX. Choose Applications -> Extensions and add a new generic SIP device. For Display Name and User Extension, enter the 10-digit phone number assigned to your vMobile device. Under Secret, enter the password you assigned in Vitelity’s vMobile portal. Click Submit and reload FreePBX when prompted. Then edit the extension you just created. Set NAT=yes and change the Host entry from dynamic to the FQDN entry that was shown in Vitelity’s vMobile portal, e.g. 7209876542.mobilet103.sipclient.org. Update your configuration and restart FreePBX once again. Finally, from the Linux command prompt, restart Asterisk: amportal restart. If you’re using a WhiteList with IPtables such as Travelin’ Man 3, be sure to add a new WhiteList entry for your vMobile Host entry. Finally, add your vMobile extension to any desired Inbound Routes to make certain your vMobile device rings when desired.

You now should be able to place and receive calls on your vMobile device. If you want to be able to call 3-digit Asterisk extensions on both WiFi and while roaming on the Sprint cellular network, then you’ll need to add a little dialplan code since Sprint reserves 3-digit numbers for emergency services and will reject other calls with numbers of less than 4 digits. Here’s the simple fix. Always dial 3-digit extensions with a leading 0, e.g. 0701 to reach extension 701. We’ll strip off the leading zero before routing the call. The dialplan code below works whether you’re calling a local 3-digit extension or a 3-digit extension on an interconnected remote Asterisk server. Simply edit extensions_custom.conf in /etc/asterisk and insert the following code at the top of the [from-internal-custom] context. Then restart Asterisk: amportal restart. Note that we’ve set this up so that, if you have an extension 701 on both the local server and a remote server, the call will be connected to the local 701 extension. If you have different extension prefixes for different branch offices (e.g. 7XX in Atlanta and 8XX in Dallas), then this dialplan code will route the calls properly assuming you’ve configured an outbound route with the appropriate dial pattern for each branch office.

exten => _0XXX,1,Answer
exten => _0XXX,n,Wait(1)
exten => _0XXX,n,Set(NUM2CALL=${CALLERID(dnid):1})
exten => _0XXX,n,Dial(sip/${NUM2CALL})
exten => _0XXX,n,Dial(local/${NUM2CALL}@from-internal)
exten => _0XXX,n,Hangup

Vitelity vMobile Special for Nerd Vittles Readers

Now for the icing on the cake… We asked Vitelity if they would consider offering special pricing to Nerd Vittles readers and PBX in a Flash users. We’re pleased to report that Vitelity agreed. By using this special link when you sign up, the vMobile monthly fee will be $8.99 instead of $9.95. In addition, your first month is free with no activation fee. We told you last week that there was a very good reason for choosing Vitelity as your SIP provider. Now you know why.

And, if you’re new to Cloud Computing, take advantage of the RentPBX special for Nerd Vittles readers. $15 a month gets you your very own PBX in a Flash server in the Cloud. Just use this coupon code: PIAF2012. Enjoy!

Originally published: Thursday, May 15, 2014





Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. RentPBX also is a corporate sponsor of the Nerd Vittles and PBX in a Flash projects. []

The End of an Era: Farewell to Dell and Microsoft and Windows

As some of you know, we use computers to do Real Work™ so we’re pretty much agnostic when it comes to operating systems and hardware. We have Windows machines and Macs and Linux servers from quad-core systems that will heat your house to Raspberry Pi’s and BeagleBone Blacks that can run full-featured phone systems. We also take full advantage of cloud-based solutions from Amazon to RentPBX to Copy.com when it is cost-effective to do so. And we give equal time to iPads and Android tablets as well as iPhones and Android phones of many flavors.

When Microsoft moved into copy protection for Windows, we began transitioning to Mac OS X and Linux to handle stuff that mattered to us, but we always kept a foot in the door with Microsoft hoping things might turn around. They haven’t, and Microsoft frankly has no one to blame but itself for the demise of the PC. It’s become almost impossible for mere mortals to maintain, and we’ll get to that story in a minute.

For those that would write us off as yet another Apple fanboy, you obviously haven’t been reading Nerd Vittles for long. We started in the PC business with the third IBM PC sold in Atlanta in the early 1980′s. DOS 1.0 came with a beautiful hard-bound binder that included all of the source code for the operating system. With dual 160K floppies, the price tag was about $4,500, and that’s 1980 dollars when Cokes were still a nickel in Atlanta.

When the IBM AT was introduced, we championed the deployment of what would become 30,000+ systems in the federal courts with accompanying HP LaserJet printers. When DOS 3.1 was introduced, we deployed networks in hundreds of courthouses by clipping network cables to the ceiling tiles in the offices to avoid the risks associated with asbestos in many of the old federal courthouses in the United States. When Dell introduced servers, #6 and #7 arrived in Atlanta the next week to run our new Novell NetWare systems. We thought we had died and gone to heaven.

But something happened along the way. Windows was introduced with much fanfare but suffered growing pains for nearly a decade. Despite the fact that Windows bore striking similarities to the work of Apple and Xerox, Microsoft wasted little time engineering the demise of WordPerfect and Lotus 1-2-3 through “software anomalies.” And then came copy protection to make sure others couldn’t do what Microsoft had turned into an art form. And that brings us to yesterday at the new Nerd Vittles headquarters. We’ve been moving this month, and my office transition was low on the totem pole in the family priorities as only those of you with families can appreciate.

We had set up a few desks and a state-of-the-art Dell XPS One for temporary use during the transition. As we previously have written in our touchscreen roundup, the XPS One is truly an engineering marvel in a league of its own. If you haven’t seen an XPS One, it is close to the perfect, touch-screen All-in-One hardware platform that we’ve all dreamed about… except it runs Windows 8. Our “real work” still gets done at a stand-up desk in another room using an iMac with redundant drives.

After writing a couple letters on the XPS One, it suddenly started locking up in the grandest Windows tradition. No notice, but no mouse or keyboard functionality either. Reboot and all is well for a couple minutes, and then more of the same. Within an hour, nothing worked and the dreaded “No boot device” error appeared on reboot. Reaching for the Windows 8 DVD provided by Dell didn’t help either. It complained that there were no drivers for the hardware. Nice touch, Dell dudes! Since the machine was less than a year old, it was time to call Dell. To their credit, the call was answered promptly. And our 90-minute support call begins.

After a 15-minute registration process, we finally were handed off to India. With excruciating clarity, Noah walked us through F2 and F12 Hell attempting to identify what had failed. All of Dell’s diagnostics reported that we had a perfectly functioning computer except for the minor detail that it wouldn’t boot. In the end, the resolution was to ship a new motherboard and hard disk for installation by a local service tech. Noah then asked, “Do you have a backup.” My response was easy. “I don’t need one. We don’t do anything on this machine that isn’t saved elsewhere.” The reason is simple. It’s almost impossible to make a useful backup of a Windows machine. You still have to restore the operating system first and navigate the copy protection minefield before you ever get to your backup. Yes, we know there are alternatives, but cumbersome doesn’t begin to describe that process. And, if you are one of the poor souls that relies upon Comcast and their “free” Norton backup, then you have another Chinese fire drill to endure getting all of that installed before you ever can restore your actual backup files. In short, it’s a multi-day ordeal even assuming nothing goes wrong in the laborious process.

As Noah was wading through the weeds trying to make Windows 8 come back to life, I couldn’t help contrasting the Microsoft/Dell situation to what I have experienced in the Mac world with a similar catastrophic failure. You simply turn off the Mac and then restart it while holding down the Option key. When the list of hard drives appears, choose your USB-connected backup drive and wait for the system to boot and all of your data to reappear. When you finish what you’re doing, shut down the computer, carry it to the Apple store, and pick it up in a couple hours with its new hard disk. Restore the external drive with the click of a button, and you’re back in business.

With all due respect to Noah, what I keep asking myself is why anyone or any organization would endure this kind of misery just to use Microsoft’s copy-protected crapola. Tedious doesn’t begin to describe the 90-minute ordeal which is merely Phase I of a week-long process. Multiply that by thousands of PCs in an organization, and you’d be visiting the closest gun dealer begging anyone to put you out of your misery.

When I see every kid with zero interest in a desktop computer of any kind, I think we all have Microsoft to thank for the rise of the tablet and cellphone. If an iPhone or Android phone dies, you move your SIM card to a new one and reboot. All of your stuff reappears without touching anything. Who would want anything else?

Michael Dell is a smart guy with lots of money and a (once again) private company. If he wants to stay in business, he needs to figure out a way to kiss India goodbye and develop a functional backup and restore methodology that’s as easy as what you find on a tablet or cellphone. Short of that, our love affair with Dell will end when our 3-year extended warranty comes to a close. I can’t say it’s always been fun, but it has been a Wild Ride!

Epilogue: After completion of our call to Dell, it took 21 hours for the local service tech to receive the parts from Dell, arrive at our doorstep, and complete the motherboard and hard drive replacement. Very impressive! Unfortunately, the kudos end there. And that’s exactly the point of this article. The replacement drive was shipped blank with two DVDs and a Windows 8 product key. The process to get back to the functioning system we previously had involved reloading Windows 8 plus all of the software updates plus the free Windows 8.1 upgrade. Total time: a whopping 21 hours! And this was before we ever restored the first backup! It’s a procedure with good imaging technology that could have been completed in about 15 minutes. So our conclusion remains the same. Absent some focus by Dell in addressing the restore shortcomings with hardware failures, the best hardware in the world isn’t going to keep Dell or the Microsoft desktop empire afloat. Painful doesn’t begin to describe this ordeal for the average consumer.

Originally published: Thursday, March 27, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Crippleware: Is Red Hat Rewriting the GPL and the Future of Open Source?

We’ve always been a believer that things happen for a reason. And so it is with the recent CentOS “acquisition” by Red Hat. It’s no secret that CentOS was cutting into Red Hat’s revenue stream. While Red Hat had announced plans to create its own CentOS-like spinoff, the actual absorption of CentOS and its development team into Red Hat, Inc. was a surprise. So was the claim by Karanbir Singh that he individually owned the CentOS trademark. As we previously described, the whole CentOS story is more than a little murky. What began as a rebellion by some open source developers to the heavy-handed Red Hat reinvention of what open source and the GPL were all about abruptly morphed into something quite different. We hope Red Hat has the best of intentions, but some may see things differently given Red Hat’s history in the open source space. Did one or more developers just throw in the towel in exchange for some undisclosed money and a cushy job? Only the developer(s) know the answer to that. From Red Hat’s perspective, it gives them complete control of the best known, free, competitive and compatible product that was making inroads into their cash cow, Enterprise Linux. Only time will tell whether the goal of this acquisition was to make CentOS a better product. Nothing now prevents Red Hat from diminishing the compatibility between Enterprise Linux and CentOS.

In the VoIP world, CentOS has played a leading role in the evolution of Asterisk-compatible turnkey systems. That history includes Asterisk@Home, trixbox, Elastix, PBX in a Flash, Asterisk Now, and the FreePBX platform. Just as Excel relies upon Windows to run, all of these distributions have relied upon CentOS as the underlying Linux operating system for their VoIP platform. And this has been the case for almost a decade with no objection from the CentOS folks. In fact, some of us that contributed to the CentOS project received tacit approval to do exactly what we’ve been doing by bundling CentOS with the PBX in a Flash VoIP platform. After all, CentOS is GPL2 software, and we can read.

Having said that, the PBX in a Flash Dev Team is shifting gears. Down the road we plan to release 32-bit and 64-bit Scientific Linux-based ISOs supported by our own software repository. By popular demand, over the next few weeks, we will release the PIAF3-Installer, a freeware installation program that installs PBX in a Flash 3.0.6.5 on an existing Linux platform. You first install the operating system of your choice, and then the PIAF3-Installer takes it from there. The first release will support 32-bit or 64-bit CentOS 6.5 or the Scientific Linux 6.5 minimal install. Future releases will support additional Linux operating systems, and we’ll keep you posted on what those platforms will be. All of the installs have been designed to look and feel and perform exactly as the PIAF 2.0.6.5 ISO works today. The installer also has been designed to work with our cloud partner, RentPBX. And it should work well on other cloud platforms as well as virtual machines including VirtualBox. The PIAF-Green Virtual Machine featuring Scientific Linux 6.5 is already available and was built using the new PIAF3-Installer. For the time being, the PIAF3-Installer gets us out of the operating system business until some of the legal issues are resolved. There’s lots of exciting new PIAF3 software coming your way very shortly. So stay tuned.

So what’s the big deal with the Red Hat acquisition?

Red Hat has a different view of the open source universe and the GNU General Public license (GPL2) under which CentOS is distributed. And, make no mistake, Red Hat has no choice about using the GPL2 license because their aggregations include thousands of components, most of which are licensed under GPL2. One of the fundamental precepts of GPL licensing is you are free to use or add to others’ GPL-licensed products so long as you also license your software under the same terms, i.e. the GPL2 license. Historically, Red Hat has applied its own GPL interpretation.

Here’s where it gets interesting. Red Hat aggregated thousands of these GPL2 products and configured them so that they worked harmoniously. And thus was born Enterprise Linux, a wildly profitable Linux “operating system” which consisted primarily of other developers’ free open source software components. And what did Red Hat bring to the table? A trademarked name and logo consisting of some artwork, a method of installing and configuring the various components so that they played nice with each other, and a marketing, support, and legal department. In pulling off this hat trick, Red Hat sprinkled its trademarked name and copyrighted artwork in various files throughout the operating system in such a way that the system wouldn’t function if you removed or renamed some of the files under which the Enterprise Linux operating system was running. Then Red Hat barred others from using its trademarks and copyrighted artwork in competitive products that sought to fork, use, and enhance the Enterprise Linux GPL2-licensed code claiming brand confusion. Merriam-Webster calls it a gotcha. We do, too.

With CentOS, the developers (perhaps with some Red Hat coaching) were sufficiently savvy to remove the Red Hat branding and artwork and then recompiled the source code substituting their own branding and artwork while never disclosing exactly how they did what they did. Scientific Linux did much the same thing a bit later. Was there a non-disclosure agreement between CentOS and Red Hat that was part of their legal settlement? Who knows? The bottom line was that the CentOS project operating under the cAOS Foundation made bold claims that they’d never act like RedHat in dealing with others that wanted to use their free product. And, more importantly, they kept their word and never did… at least until the 2014 Red Hat acquisition when CentOS license terms abruptly changed.

Here’s the key language that all of us relied upon as far as CentOS licensing and integration into other products:

[W]e will never make the system depend on an item of non-free software.

We won’t object to commercial software that is intended to run on cAos systems, and we’ll allow others to create value-added distributions containing both cAos and commercial software, without any fee from us. To support these goals, we will provide an integrated system of high quality, 100% open source software, with no legal restrictions that would prevent these kinds of use. (Emphasis added)

Indeed, this licensing approach is exactly what GPL2 requires! The Red Hat theory of open source licensing goes something like this. You are free to use our source code (only) to develop your own GPL2 product provided you recompile the executables after removing all of our trademarks and copyrighted artwork from the source before you proceed. And here’s the rub with that approach: the GPL2 license. Three important components of the GPL2 license are listed below. Red Hat’s new CentOS license only partially complies with sections 1 and 2 while ignoring sections 3 and 7.

Sections 1 and 2 of GPL2 give users the right to copy, modify, and redistribute source code provided appropriate notices are attached and the new source code is licensed under GPL2. There’s no authorization to restrict or limit reuse or modification of individual components in the GPL2 program.

Section 3 of GPL2 gives users the right to copy and use or modify the object code provided in the original work. There’s no authorization to restrict or limit reuse or modification of individual executable components in the program.

Section 7 of GPL2 is the enforcement mechanism of the license. If the licensor uses a patent “or any other reason (not limited to patent issues)” to restrict the use of a GPL2-licensed product then the licensor has two options: (1) remove the restriction on use or (2) stop distributing the product pursuant to GPL2. If the licensor insists upon enforcement of a patent, a trademark, or copyright claim whether real or contrived, then “the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.” The quoted passages couldn’t be more clear.

Red Hat wants to have its cake and eat it, too: sell a product using everyone else’s free GPL2 products without restriction and then tie up its own GPL2 product with trademark and copyright land mines that deter others from using the product except in an inoperative form. This is nothing new. Back in the shareware days, we called it Crippleware. Stated another way, Red Hat wants to permit GPL2 use of modified CentOS in source code format only minus the CentOS marks and images and without any object code or executables and without telling you how to restore functionality after removing the required pieces to which RedHat claims ownership. Simply stated, the boat won’t float without major plumbing changes from any user that wants to keep the boat from sinking. And Red Hat won’t tell you where the boat is leaking or how to fix the leaks. Never mind that Red Hat didn’t mind using thousands of other developers’ trademarks and copyrighted artwork in the Enterprise Linux and CentOS aggregations. There’s a reason. Such restrictions are impermissible under the GPL2 license. Indeed, it’s one of the primary reasons that the GPL license came about in the first place. Assuming Red Hat ever obtains the CentOS registered trademark (which we plan to challenge if no one else does), Red Hat has two options under section 7 of GPL2: drop the trademark and artwork removal requirements or stop marketing CentOS and Enterprise Linux as GPL products (which they obviously cannot do since they are using thousands of other folks’ open source trademarked GPL2 products in “their work” at no cost).

Here’s a modest proposal that we believe would make everybody happy. First, many folks don’t give a rip about using either the RHEL or CentOS marks or artwork. It’s the source AND executable code that was released under the GPL that users are after just as they were promised under GPL2 and under CentOS previously published licensing terms. What we’re not going to do is invest hundreds of programming hours rebranding and maintaining what is touted and distributed as a GPL2 product. Personally, I’d prefer to spend the hours on a legal brief blowing Red Hat’s GPL2 reincarnation of open source out of the water. It’s dead wrong based upon the clear language of the GPL2 license. Paying lawyers or experts to twist the meaning of the GPL2 language that’s perfectly clear on its face simply isn’t going to fly. We’ve been down this road before. And David and Goliath is still one of our favorite Bible stories.

If Red Hat wants a generic, mark-free, image-free distribution of CentOS in lieu of waiving its trademark and copyright claims, then Red Hat can produce a clone with binaries AND keep it current as new versions of RHEL and CentOS are released! Make it a 100% RHEL-compatible and call it MugWump™. Use the Nerd Vittles logo for the artwork. Or come up with any other name and logo so long as there are no restrictions on use by others. If Red Hat uses our proposed name and logo, we will license everyone to use the product, the copyrighted artwork and the MugWump trademark pursuant to GPL2 at no cost. If Red Hat chooses its own new name and logo, then Red Hat agrees to license the product under the same terms we have proffered. The end result: everybody will be happy while saving Red Hat hundreds of thousands of dollars in legal fees. What’s not acceptable is distribution of a product which purports to be GPL2 code but places unreasonable and unachievable restrictions on use without hundreds of hours of development work by potential end users. That’s not what GPL2 was ever about. Hopefully the federal courts won’t have to say so.

Originally published: Tuesday, February 11, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Don’t Hurry: A First Look at Google Glass with Google Glass Frame

It’s one thing to read about new technology, and quite another to actually try it out. We’ve been holding off on Google Glass awaiting support for prescription lenses. Well, it’s finally here. And Nerd Uno was one of the first to receive the new Google Glass Frames. Having spent the better part of a week with the new technology, here’s our review.

Let’s start with the price tag. Ours came to $1,868.75. That’s before you add the cost of prescription lenses, some of which are now subsidized by vision insurance plans. So the $2,000 question is whether you’re ready for that type of investment in order to assume the mantle of PIONEER. And, make no mistake, Google Glass is a beta project in every sense of the word. We’ll get to that in a minute.

Pardon our morphing into a male chauvinist pig for a moment. Can you picture your significant other ever wearing a pair of these glasses? Seriously? If the answer is no, then put yourself in her shoes and ask the same question. Looks aside (and some of us need all the help we can get), much of the resistance to Google Glass boils down to the privacy issue. It’s one thing to carry a hidden pen camera when nobody knows they’re being recorded. It’s quite another to advertise what you’re up to. As Engadget put it:

It’s a headset with a projected display, a camera and a data connection that could revolutionize the mobile device industry. It could also cause a public uproar over privacy concerns.

People can and should be a bit concerned about someone walking in a public restroom with Glass on and, since you can’t fold them up and stick them in your pocket, finding something to do with them while you do your business is a challenge.

Take it from us. Your friends are going to disown you if you wear these things around them. Nobody (except people that work for Google or would like to) wants to be on camera all the time. And nobody except the Glass wearer knows whether the camera is on or off. Therein lies the problem. All it takes to send a photo to the Google Cloud is the wink of an eye. Ask yourself this question. Do you really want to live in a world like this? We haven’t even gotten to the way you can expect to be treated by strangers. Consider, for example, the poor guy that got dragged out of the movie theater because of a claim that he was illegally recording the movie. He wasn’t! But there was a parking lot full of police and FBI interrogators anyway. Then there are the restaurants and bars that will throw you out just for wearing a pair of wonder glasses. And finally we’ve got the Eager Beaver traffic cop that couldn’t wait to make his first Google Glass bust. So let me repeat the question. Do you really want to live in a world like this? Perhaps the better question is this. Do you think other folks want to live in a world with people like you wearing Google Glass? You can probably guess our answer, but the world does not stand still. So… we will see what we see.

Google Glass Setup and Operation

If you’ve set up an iPhone or Android phone with Gmail using your Google credentials, then you already know the drill for setting up Google Glass. It’s a breeze with the MyGlass app for your smartphone. In 5 minutes, you’ll be ready to tilt your head up and take Google Glass for a spin. The magic word to activate Glass is “OK, Glass.” So far, so good. In the default setup, you can make phone calls, check the weather, participate in Hangouts (you can see them but they can’t see you), read emails, send dictated email messages, take photos and videos as well as perform Google searches and navigate to a destination with Google Maps. The ability to schedule reminders has been removed in the latest software release. Unfortunately, messages sent to Gmail accounts (with or without a photo) go to Hangouts, not to Gmail.




You can take photos by blinking your right eye after enabling the feature. The photos are immediately uploaded to your Google account in the sky. There also is an option to forward a photo to an email address. But choosing a recipient was problematic. If you have an extensive list of Contacts as we do, it’s almost impossible to navigate through the list or to use it reliably with the Glass speech-to-text function. Oftentimes you will find yourself inadvertently sending something to the wrong person with no notification as to who that person was. And there’s no quick way to cancel delivery. That is a major shortcoming of virtually all the Glass features presently. There is no “go back” or “never mind” or “hangup” voice command to cancel an activity. We often found ourselves tapping, swiping, and yelling at Glass in order to cancel some action. Painful is the kindest adjective we can muster. Do you have any idea how stupid you look tapping on the side of your head all the time? People really will think you’ve lost your marbles. Let’s put it this way. If the Google self-driving car worked as well as Glass, you’d be in a ditch or dead in a matter of minutes.

There are a whole host of additional features you can add to Glass. Google calls them Glassware. The process is straight-forward, much like adding an app to a smartphone. Here’s a partial list to give you some idea of what’s already out there:

With all these potential applications, you’re undoubtedly asking yourself about battery life. In a word, it’s HORRIBLE. If you get a half day out of Glass even with minimal use, count yourself among the lucky ones. If the idea is that folks should wear Glass instead of glasses, you’re not going to be a happy camper. While Google has taken steps to shut off Glass when you’re not actively using it, this is an uphill battle. Glass depends upon Wi-Fi and Bluetooth and regularly communicates with your cellphone and the closest WiFi access point. That’s a battery-consuming activity that is not going to be easily remedied without a bigger battery or better battery technology. As someone described it in the Google forum, “It’s like watching the gas gauge on a Ford Expedition with a 454 engine going up a mountain.” There’s a reason that over half the inside of a smartphone is reserved as a battery compartment. Unfortunately, Glass doesn’t have that luxury of space.

In conclusion, we were tempted to keep Glass only because of its novelty. Everybody likes to play with the latest toy. And we have a reputation to uphold. But the battery life and privacy issues are truly dealbreakers for us. Before it’s over, we suspect there will be overwhelming public demand for a little red blinking light on Glass to tell others when you’re doing something that might affect them. If you’ve seen the way people react when you point a movie camera at them with a blinking red light, you’ll at least know what you have to look forward to. There has been no bigger Google Glass evangelist than Robert Scoble. Check out his comments on why Google Glass is doomed. Then read today’s comments from Jeff Jarvis before you take the plunge. We’re saving our money for the self-driving car. Here’s hoping the people that make ours don’t read this review.

Originally published: Wednesday, February 5, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Ringbinder theme by Themocracy