2015 has been quite the year for the Asterisk® VoIP community. First came the surprise announcement that Sangoma® had acquired FreePBX®. Next, Digium® caved on Asterisk-GUI and adopted FreePBX as their “free” distribution giving Sangoma a virtual monopoly in the Asterisk graphical user interface and aggregation market. And then the fireworks began. There were only two open source and GPL-compliant Asterisk aggregations left: Elastix® and PBX in a Flash™.
We had been on a downhill slide with the Schmoozers for quite a while after their “commercial tech support” for PBX in a Flash morphed into a sales pitch to switch users to the FreePBX Distro. What they left out of the narrative was the fact that the FreePBX Distro is neither open source nor a GPL product. Not only is it laced with NagWare and CrippleWare, but you are prohibited from redistributing or reusing the code. While it’s copyrighted and trademarked up the ying yang, it’s also full of “trade secrets” and GPL code obtained for free from the open source community. So much for the GPL. The Free Software Foundation has long since lost its appetite for lawsuits. Digium has kept a low profile through all of this. That’s probably because they’re now 100% dependent upon FreePBX, an integral component in their morphed AsteriskNOW® product.
If you’ve been involved in the technology business, you already know that the marketing strategy for many companies is full of examples of the traditional Good Cop/Bad Cop routine: beat you up with the bad guy and then let the good guy swoop in to close the deal. With free software, there’s another hurdle. You’ve first got to persuade customers that they really don’t want something for nothing. They’ll be much better off paying for everything: software, add-ons, updates/upgrades, and support. Remember the old adage: “Nobody ever got fired for choosing IBM®.” Same song, different verse!
In the Asterisk VoIP community, there’s been another secret ingredient: fear, uncertainty, and doubt. Yes, good old FUD. This strategy relies upon confusing everybody to the point that they throw up their hands and stop believing anything anybody says. Then the good guy swoops in to close the commercial deal for the “safe company.” Classic IBM!
With a legal background, we’d be the first to admit that the FUD strategy is difficult to deal with. You’re trying to explain fairly complex technical material in a logical way and all of a sudden you’re bombarded with completely off-the-wall comments that have no basis in fact. If you love Fox News, you’re accustomed to this already. Never mind the images on the screen don’t match the story that’s being told. The point is to make things look worse than they are so that the blonde bombshell can swoop in and say literally anything… and you’ll believe it.
If you watched Tag Team Wrestling as a kid, you’ll appreciate this sales strategy. Here we use one of our employees to publish a position on social media such as Twitter or one of the forums. Then other employees chime in with how brilliant the first employee’s idea really was. Better yet, get a handful of anonymous resellers to join in. This is especially effective when the general public has no clue that these folks are affiliated with the company and its marketing strategy.
If all else fails, bring on the personal attacks. Anyone that doesn’t agree with your position is labeled a troll and the piling on begins from other employees and resellers. Of course, there are always a few that stay above the fray urging everyone to “just get along” for the sake of the Asterisk “community.” Classic Rodney King.
In the meantime, we’re watching an already fractured VoIP market that seems headed for oblivion. Have you watched how your kids communicate lately? Do you really think they’re going to be relying on PBXs ten or fifteen years down the road when all of their smartphone calls and messaging are basically free? Did we mention the other elephants in the room: Skype, Hangouts, and FaceTime? America’s Big 3 already provide free worldwide telecommunications and video conferencing with any smartphone or desktop computer. And TV support is becoming commonplace. So… Party On, FUD Masters.
Let’s look at a few examples of how this has played out. The best example is security. No sane IT guy would ever run a VoIP server fully exposed to the Internet without several layers of security including either a hardware or software-based firewall. That’s Networking 101. Yet there was a group of folks in the Asterisk community that, over the course of 10 years, never mentioned firewalls at all… until a few months ago. Guess who? And guess who’s server platform consistently got hacked? The response: FUD, and lots of it. When users began reporting totally compromised servers, “the team” response was disbelief and, of course, a post documenting a vulnerability in PBX in a Flash. The difference? The PBX in a Flash vulnerability still required administrator permission and an admin password for access. But, hey, it was a vulnerability and all vulnerabilities are alike, right? Wrong. Pure FUD but the equal billing of both vulnerabilities on their forum for months presumably achieved the goal of demonstrating that all software has “issues” from time to time.
— Rob Thomas (@xrobau) October 14, 2015
And then there was the FreePBX Firewall, a recent creation that runs within the FreePBX GUI and is accessible within a web browser without root user permissions. There’s only one catch. A vulnerability in the firewall gave the intruder root access to the server without ever obtaining root user credentials. It doesn’t get much more dangerous than that. And, sure enough, while the developer was at AstriCon crowing about his awards and firewall accomplishments, a root exploit was identified less than a week after the product hit the market. The response? We fixed the only known vulnerability. Well, not so fast. The problem with the design is that users were continually locking themselves out of their own servers because they didn’t quite know what they were doing in implementing the new firewall rules. After bad-mouthing PortKnocker as an overly complex magic incantation, the developer couldn’t quite bring himself to go that route to get users back into their servers. After all, firewalls are supposed to be easy. Instead, he chose to disable the firewall entirely during the first 5 minutes after a server was rebooted. Sounds great, right? Wrong again. Almost any DDOS attack has the potential to crash a server and force a reboot. Guess who gets the easy pass to hack your server after the server comes crashing down? You may be wondering how a root vulnerability occurs when FreePBX runs as the asterisk user. Good question. And the answer is you have to load the encrypted SysAdmin module which reportedly gives itself root permissions to servers. In response… FUD and more FUD.
Advising people to disable security features then shrugging them off when they get hacked and lose money. #gotcha
— James Finstrom (@JamesFreePBX) November 17, 2015
The latest FUD involves the so-called Module Signature Checking mechanism in FreePBX 12. Sangoma claims it was to protect end-users by throwing up glaring error messages whenever you install or use a FreePBX module that wasn’t produced by (you guessed it!) Sangoma. Our take is it was a not-so-subtle attempt to freeze everyone else out of the FreePBX module development market where Sangoma hopes to make a fortune in license fees and renewal contracts. Dream on. The downside is that, with the exception of a single module to support Digium® phones, there hasn’t been a non-Sangoma module for FreePBX produced in years! The FUD hit the fan when we published (OPTIONAL) code to let administrators remove the module signature checking mechanism if they chose to do so. This meant FreePBX 12 GPL modules worked exactly like those in every previous version of FreePBX. Suddenly, lack of module signatures became a security issue… except in earlier FreePBX releases, of course. What’s particularly disingenuous about this latest FUD attack is that FreePBX 2.11 and prior releases are still in active use. None of those releases even had the option to enable module signature checking whether an administrator wanted it or not. And, of course, all Incredible PBX builds include a preconfigured firewall that blocks all of the bad guys from even seeing your server much less attacking it. But suddenly our giving the administrator the option to use module signature checking has become a critical “security issue” that will cause users to “get hacked and lose money.” That’s the Sangoma FUD mentality we’re dealing with folks.
Finally, let’s talk about hardware. Sangoma loves hardware. It is or, more accurately, was their bread and butter. First, they touted their Session Border Controller as the only way to protect an Asterisk server. For the FUD scorecard on SBCs, read our SBC article. And then there are the Asterisk appliances, preconfigured FreePBX Distro boxes running on generic (overpriced) computer platforms. In a recent article, we noted that a $200 Intel® NUC could run circles around the entry-level $579 FreePBX Phone System 50. And, for $500, a high performance Intel NUC could actually run a half-dozen or more Asterisk servers. Didn’t take long for a FreePBX cheerleader to crank up the FUD proclaiming that Intel NUC’s won’t boot:
— Rob Thomas (@xrobau) November 11, 2015
Of course, if Mr. Messano had bothered to read the Nerd Vittles article, he would have learned that it only took about 10 seconds to apply a BIOS tweak that solved the booting problem forever. But, again, the damage was done. Believe it or not, many casual observers derive much of their technical expertise from 140-character tweets. And some will no doubt conclude that there must be a problem with the Intel hardware. Otherwise, why would some stranger suggest such a thing.
The point of all this is to document why those relying upon Asterisk for their bread and butter would do well to start devising a backup plan. Many in the business, medical, and government communities are reluctant to touch Asterisk with a 10-foot pole and now you know why. Over 500,000 people read Nerd Vittles each year. That’s not to suggest that they all agree with everything we suggest. But you can rest assured that they will continue to hear both sides when these hit-and-run attacks occur. As a CEO in the Asterisk “community,” we’d be asking whether this approach is really worth the cost to the shareholders? While the derisive comments of some employees may play well to backslapping coworkers, the long-term consequence of alienating actual decision-makers reading this misleading FUD will be to drive serious customers to other platforms permanently. “Where there’s smoke, there’s probably fire” goes the old saying. And, while Asterisk 13 has proven itself to be a good platform for a business phone system, the end-user alienation and disingenuous FUD ultimately are going to have repercussions for businesses that have chosen to earn a living using Asterisk. As an Asterisk evangelist and a shareholder of Sangoma, we view these developments as unfortunate because the wounds are mostly self-inflicted.
For the rest of the story…
- An Open Letter to Sangoma: Here’s to a New Beginning in 2015
- We Have a Dream, Too: The Return of (Gotcha-free) Open Source GPL Software
- Turning the Page on Asterisk GUIs: Here’s to a New Beginning with a GUI Facelift
- Wear Something Green for May Day: The Schmoozification of Sangoma
- Freedom and the FreePBX Cloud: Is an Apple-like Ecosystem GPL-Compliant?
- Holey Socks! It’s the Missing FreePBX GPL Source Code, Or Is It?
Originally published: Wednesday, November 18, 2015
Need help with Asterisk? Come join the PBX in a Flash Forum.
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.
Some Recent Nerd Vittles Articles of Interest…