2015 has been quite the year for the Asterisk® VoIP community. First came the surprise announcement that Sangoma® had acquired FreePBX®. Next, Digium® caved on Asterisk-GUI and adopted FreePBX as their "free" distribution giving Sangoma a virtual monopoly in the Asterisk graphical user interface and aggregation market. And then the fireworks began. There were only two open source and GPL-compliant Asterisk aggregations left: Elastix® and PBX in a Flash™.
We had been on a downhill slide with the Schmoozers for quite a while after their "commercial tech support" for PBX in a Flash morphed into a sales pitch to switch users to the FreePBX Distro. What they left out of the narrative was the fact that the FreePBX Distro is neither open source nor a GPL product. Not only is it laced with NagWare and CrippleWare, but you are prohibited from redistributing or reusing the code. While it’s copyrighted and trademarked up the ying yang, it’s also full of "trade secrets" and GPL code obtained for free from the open source community. So much for the GPL. The Free Software Foundation has long since lost its appetite for lawsuits. Digium has kept a low profile through all of this. That’s probably because they’re now 100% dependent upon FreePBX, an integral component in their morphed AsteriskNOW® product.
If you’ve been involved in the technology business, you already know that the marketing strategy for many companies is full of examples of the traditional Good Cop/Bad Cop routine: beat you up with the bad guy and then let the good guy swoop in to close the deal. With free software, there’s another hurdle. You’ve first got to persuade customers that they really don’t want something for nothing. They’ll be much better off paying for everything: software, add-ons, updates/upgrades, and support. Remember the old adage: "Nobody ever got fired for choosing IBM®." Same song, different verse!
In the Asterisk VoIP community, there’s been another secret ingredient: fear, uncertainty, and doubt. Yes, good old FUD. This strategy relies upon confusing everybody to the point that they throw up their hands and stop believing anything anybody says. Then the good guy swoops in to close the commercial deal for the "safe company." Classic IBM!
With a legal background, we’d be the first to admit that the FUD strategy is difficult to deal with. You’re trying to explain fairly complex technical material in a logical way and all of a sudden you’re bombarded with completely off-the-wall comments that have no basis in fact. If you love Fox News, you’re accustomed to this already. Never mind the images on the screen don’t match the story that’s being told. The point is to make things look worse than they are so that the blonde bombshell can swoop in and say literally anything… and you’ll believe it.
If you watched Tag Team Wrestling as a kid, you’ll appreciate this sales strategy. Here we use one of our employees to publish a position on social media such as Twitter or one of the forums. Then other employees chime in with how brilliant the first employee’s idea really was. Better yet, get a handful of anonymous resellers to join in. This is especially effective when the general public has no clue that these folks are affiliated with the company and its marketing strategy.
If all else fails, bring on the personal attacks. Anyone that doesn’t agree with your position is labeled a troll and the piling on begins from other employees and resellers. Of course, there are always a few that stay above the fray urging everyone to "just get along" for the sake of the Asterisk "community." Classic Rodney King.
In the meantime, we’re watching an already fractured VoIP market that seems headed for oblivion. Have you watched how your kids communicate lately? Do you really think they’re going to be relying on PBXs ten or fifteen years down the road when all of their smartphone calls and messaging are basically free? Did we mention the other elephants in the room: Skype, Hangouts, and FaceTime? America’s Big 3 already provide free worldwide telecommunications and video conferencing with any smartphone or desktop computer. And TV support is becoming commonplace. So… Party On, FUD Masters.
Let’s look at a few examples of how this has played out. The best example is security. No sane IT guy would ever run a VoIP server fully exposed to the Internet without several layers of security including either a hardware or software-based firewall. That’s Networking 101. Yet there was a group of folks in the Asterisk community that, over the course of 10 years, never mentioned firewalls at all… until a few months ago. Guess who? And guess who’s server platform consistently got hacked? The response: FUD, and lots of it. When users began reporting totally compromised servers, "the team" response was disbelief and, of course, a post documenting a vulnerability in PBX in a Flash. The difference? The PBX in a Flash vulnerability still required administrator permission and an admin password for access. But, hey, it was a vulnerability and all vulnerabilities are alike, right? Wrong. Pure FUD but the equal billing of both vulnerabilities on their forum for months presumably achieved the goal of demonstrating that all software has "issues" from time to time.
— Rob Thomas (@xrobau) October 14, 2015
And then there was the FreePBX Firewall, a recent creation that runs within the FreePBX GUI and is accessible within a web browser without root user permissions. There’s only one catch. A vulnerability in the firewall gave the intruder root access to the server without ever obtaining root user credentials. It doesn’t get much more dangerous than that. And, sure enough, while the developer was at AstriCon crowing about his awards and firewall accomplishments, a root exploit was identified less than a week after the product hit the market. The response? We fixed the only known vulnerability. Well, not so fast. The problem with the design is that users were continually locking themselves out of their own servers because they didn’t quite know what they were doing in implementing the new firewall rules. After bad-mouthing PortKnocker as an overly complex magic incantation, the developer couldn’t quite bring himself to go that route to get users back into their servers. After all, firewalls are supposed to be easy. Instead, he chose to disable the firewall entirely during the first 5 minutes after a server was rebooted. Sounds great, right? Wrong again. Almost any DDOS attack has the potential to crash a server and force a reboot. Guess who gets the easy pass to hack your server after the server comes crashing down? You may be wondering how a root vulnerability occurs when FreePBX runs as the asterisk user. Good question. And the answer is you have to load the encrypted SysAdmin module which reportedly gives itself root permissions to servers. In response… FUD and more FUD.
Advising people to disable security features then shrugging them off when they get hacked and lose money. #gotcha
— James Finstrom (@JamesFreePBX) November 17, 2015
The latest FUD involves the so-called Module Signature Checking mechanism in FreePBX 12. Sangoma claims it was to protect end-users by throwing up glaring error messages whenever you install or use a FreePBX module that wasn’t produced by (you guessed it!) Sangoma. Our take is it was a not-so-subtle attempt to freeze everyone else out of the FreePBX module development market where Sangoma hopes to make a fortune in license fees and renewal contracts. Dream on. The downside is that, with the exception of a single module to support Digium® phones, there hasn’t been a non-Sangoma module for FreePBX produced in years! The FUD hit the fan when we published (OPTIONAL) code to let administrators remove the module signature checking mechanism if they chose to do so. This meant FreePBX 12 GPL modules worked exactly like those in every previous version of FreePBX. Suddenly, lack of module signatures became a security issue… except in earlier FreePBX releases, of course. What’s particularly disingenuous about this latest FUD attack is that FreePBX 2.11 and prior releases are still in active use. None of those releases even had the option to enable module signature checking whether an administrator wanted it or not. And, of course, all Incredible PBX builds include a preconfigured firewall that blocks all of the bad guys from even seeing your server much less attacking it. But suddenly our giving the administrator the option to use module signature checking has become a critical "security issue" that will cause users to "get hacked and lose money." That’s the Sangoma FUD mentality we’re dealing with folks.
Finally, let’s talk about hardware. Sangoma loves hardware. It is or, more accurately, was their bread and butter. First, they touted their Session Border Controller as the only way to protect an Asterisk server. For the FUD scorecard on SBCs, read our SBC article. And then there are the Asterisk appliances, preconfigured FreePBX Distro boxes running on generic (overpriced) computer platforms. In a recent article, we noted that a $200 Intel® NUC could run circles around the entry-level $579 FreePBX Phone System 50. And, for $500, a high performance Intel NUC could actually run a half-dozen or more Asterisk servers. Didn’t take long for a FreePBX cheerleader to crank up the FUD proclaiming that Intel NUC’s won’t boot:
— Rob Thomas (@xrobau) November 11, 2015
Of course, if Mr. Messano had bothered to read the Nerd Vittles article, he would have learned that it only took about 10 seconds to apply a BIOS tweak that solved the booting problem forever. But, again, the damage was done. Believe it or not, many casual observers derive much of their technical expertise from 140-character tweets. And some will no doubt conclude that there must be a problem with the Intel hardware. Otherwise, why would some stranger suggest such a thing.
The point of all this is to document why those relying upon Asterisk for their bread and butter would do well to start devising a backup plan. Many in the business, medical, and government communities are reluctant to touch Asterisk with a 10-foot pole and now you know why. Over 500,000 people read Nerd Vittles each year. That’s not to suggest that they all agree with everything we suggest. But you can rest assured that they will continue to hear both sides when these hit-and-run attacks occur. As a CEO in the Asterisk "community," we’d be asking whether this approach is really worth the cost to the shareholders? While the derisive comments of some employees may play well to backslapping coworkers, the long-term consequence of alienating actual decision-makers reading this misleading FUD will be to drive serious customers to other platforms permanently. "Where there’s smoke, there’s probably fire" goes the old saying. And, while Asterisk 13 has proven itself to be a good platform for a business phone system, the end-user alienation and disingenuous FUD ultimately are going to have repercussions for businesses that have chosen to earn a living using Asterisk. As an Asterisk evangelist and a shareholder of Sangoma, we view these developments as unfortunate because the wounds are mostly self-inflicted.
For the rest of the story…
- An Open Letter to Sangoma: Here’s to a New Beginning in 2015
- We Have a Dream, Too: The Return of (Gotcha-free) Open Source GPL Software
- Turning the Page on Asterisk GUIs: Here’s to a New Beginning with a GUI Facelift
- Wear Something Green for May Day: The Schmoozification of Sangoma
- Freedom and the FreePBX Cloud: Is an Apple-like Ecosystem GPL-Compliant?
- Holey Socks! It’s the Missing FreePBX GPL Source Code, Or Is It?
Originally published: Wednesday, November 18, 2015
Need help with Asterisk? Come join the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…