The post titled "trixbox CE audit tool official statement and "fixes"" includes an apology, details about what happened, and the fix to the Heartbeat script:
http://www.trixbox.org/forums/trixbox-forums/open-discussion/regarding-trixbox-trojan

From "it’s not a problem" to "oops" and then "all fixed" in six days is nearly warp speed. How about giving them a little credit for listening, and then taking care of the problem? A more typical response is to stonewall, evade, and then release both attack lawyers and oily PR persons.

I haven’t seen anything about a privacy policy, which seems to be the remaining bit of unfinished business.

That’s a wrong analogy. The analogy is like you were served a hamburger at a party but it has a parasite inside that it is going to live inside your body until you go to see a doctor, and only if the doctor finds out to tell you and treat you.

Sure nobody has "shuved" a hamburger down your throat, as it’s not polite at a party.

Give me a break. Your comment is equivalent to that we should never worry about this kind of security matter. You basically said that it is no big deal. Well, 99.9% of the people out there won’t agree with you.

And I’m not sure if you are hinting that the only reason there is a sucurity risk is only because the free users choose to take a free version vs. a commercial version. Are you kidding? The commercial version also has a controversial phone home "feature" as well and many people didn’t like that either.

And so far, I have not read about anything about sleeping with project manager’s wife or anything like that here. If you have a problem with such out of line stuff then take it to the place where it happened. Don’t take it here because I can’t read or even find out where, and you are lumping all the negatives here only to equalize the basic issue (fallacy).

You said "just turn it off, it’s no big deal". May be it is not being turned off because users didn’t find out about it. May be b/c Fonality didn’t inform the users?

If I were the person who is responsible for deploying something with a remote-BOT inside, I’d be very worried about my future career, even though it was not my own fault per se.

Mr. Hyde, you can’t be more serious? Gee

First Asterisk@Home suddenly changed names to TrixBox. This raises concern in the user community. The reasons given at the time were that Digium held a trademark and that they couldn’t use Asterisk in the name any more.

Then it is discovered that magnanimous Fonality is "sponsoring" Asterisk@Home/suddenly-Trixbox. But, don’t worry they aren’t taking over or anything.

Then we find out that Fonality is selling a proprietary version of TrixBox and now offers an appliance. But, don’t worry, TrixBox is still freely available. Never mind that it is increasingly crippled by comparison to the proprietary version.

Then the new free version comes out and you have to register just to install modules and updates. But, don’t worry, we’re not using the information for anything and nothing has changed, we just want to get an idea of how many people are using our product. Trust us.

Now, it is discovered that a surreptitiously placed module is installed and is phoning home nightly and that module can and does execute code of Fonality’s choosing as a trojan or bot does. But yet again(!) Kerry and crew down play the whole thing http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home claiming that:
It’s not a big deal because Trixbox has always phoned home.
It only collect statistics.
You can trust us.
We understand that you are uspset about it but we are working as hard as we can to develop a fix but, that will take days at a minimum.
It was unintentional.
You were never at risk.

All of the BS that has flooded out of this project over the past year and a half will hopefully end here. The TrixBox project and its Fonality drones are no longer trust worthy. If they ever were.

Does this mean I have an early enough version that I am not affected? Are there other "phone home" mechanisms in use in the version I have (version 2.0.0)?

[WM: ‘Heartbeat V.3.0′ didn’t come out ’til later. You’ve still got ‘Heartbeat V.2.0.’ You’ll need to go to the trixbox forums to find out how to disable it. I don’t think they thought up the clever name until yesterday so don’t search for heartbeat.]

Ward and the rest of the great people here I have to thank you so far I’m pretty happy with pbx in a flash

I still support the Nerdvittles project as they have been free and have been ingenious and invaluable, but this support is like that of a politician, I will vote for the one that has done the least bad now instead of one that I like.

[WM: A lot of people took our advice in well over 100 Nerd Vittles articles and tried Asterisk@Home and then trixbox these past few years. We felt some obligation to warn folks that may have upgraded to ‘Heartbeat V3.0’ as it is now described. Call it what you will, but if it walks like a duck, and quacks like a duck, it’s still a duck. This went well beyond being a heartbeat. It was a remotely-configurable BOT that penetrated the security of any enterprise in which it was installed.

After reading all of Kerry’s responses, it appears the remotely-configurable BOT is still running today. What’s unclear is whether this was some new hairbrain design (as I originally thought) or something that was ported over from Fonality’s commercial products. That’s pretty scary, too! Providing reliable phone service is a noble goal but not at the expense of adding serious infrastructure vulnerability for your users IMHO.]

This makes me think this is in fact the same mechanism used in the fonality PBX! I wonder if the Fonality user base know how vulnerable they have been!

Does anyone know whether the Fonality proprietary PBX system phones home in the same way?

[WM: Good questions.]

My approach will be to call my clients and let them know that a security bug has been found, and that I will be having to go and patch their systems. But, since this is a top priority bug, there will be no charge to them…

I believe that, by being open, honest, and fair to my clients, they still will respect and keep trusting me. What do you think?