It's worse than that, actually. Cisco 7960's are pretty brain dead. They pull their configs off tftp based on the mac address. Flip the phone over and write down some digits and you're halfway there. Keys to the kingdom on the bottom of the phone.
I've actually checked out FreeSWITCH quite thoroughly. I believe I said before that I've used the app?
There were many of Diego's comments that I agreed with. I don't hate him. I never said I hate him. I think the strongest thing I said was "I'm beginning to think you are just a jerk." As far as i'm concerned, he is. In all honesty you can't behave like an idiot and expect to get your bugs looked at with any seriousness. You can't go onto public communities and rant completely off-topic without expecting some sort of backlash. Is it my fault that googling for Diego Viola turns up rampant lunacy? I think not.
I just think he acts like a troll and I fell for his bait so I felt the need to apologize to a community I feel a certain kinship with. I feel like I let Slashdot down yesterday by feeding the troll after contributing here for almost a decade.
There's no denying the fact that Diego acts like a jerk and posts pro-FreeSWITCH comments all over the internet. He's even admitted so. I don't really think any of my comments were out of line. In fact, I gave him the benefit of the doubt having not run into him on the internet before.
It didn't take too long to see through the agenda. He's a fanboi. Fanbois are annoying.
Nothing he has said here has really given anything positive or helpful to this discussion... Which, let me remind everyone, is about Asterisk and "Vishing" and has nothing to do with FS. Really, though, the problem is with shitty passwords and default settings which is an issue that plagues EVERY app when administered by an idiot.
I'm neither for or against FS for fucks sakes. Can I just drop out of this bullshit conversation now? I tried it and Asterisk serves my needs far better than FS does. Like I said before, we hack the code into smithereens in our labs and for us Asterisk just works. As a matter of fact, my original post in this thread-- http://tech.slashdot.org/comments.pl?sid=1421913&cid=29898993 --had many negative things to say about Asterisk's security model. Diego missed my point regarding "BADministrators" completely and launched into his FreeSWITCH agenda. I agreed with many of his comments regarding security models.
I'm through with this. Last post in this thread for me. None of this is really about Asterisk, FreeSWITCH or any VoIP platform. Even the quoted guy is pissed off about the comments being taken out of context. This is just stupid now. It's Mac vs. PC vs. Linux with the names changed to protect the innocent. All of you need to take your Asterisk vs. FreeSWITCH hate-on's back to Kindergarten where behaviour like that belongs. I've honestly never experienced any problems with either the Asterisk or FreeSWITCH community until yesterday.
If people don't like being called jerks then they probably shouldn't be acting like jerks. THE END.
It is but it's so flexible. I have a lot of fun emulating carrier's broken VoIP calls into our network with Asterisk.
No scalability, drops calls during a reboot, causes alarms on SBCs, no HA, load balancing requires a session director (perhaps another asterisk) of some sort.
The code is not pretty. Asterisk and sipP make a pretty good testbed, though. The T.30 to T.38 passthrough in 1.6.1 with the digium plugin is pretty cool.
Faxing from a web page to a land line is fun.
Hi Slashdot. I'm very sorry, but I fed the troll and I'll try not to do it again.
I've done a bit of research into this Diego fellow and I'd just like to apologize publicly for feeding the troll. You would think with a six-digit ID I'd been around long enough to recognize someone poking through the cage bars but Diego's agenda was well hidden at first and I fell hook, line and sinker.
Evidently, he got pissed off at some Asterisk developers back in the day and he's had a hate on ever since. He's now a Freeswitch fanboi and his lunacy outweighs that of any PC vs. Mac user.
He classifies himself as a FreeSWITCH engineer in job boards but I can't see how this could be helpful to his career in any way based on the way he presents himself in a public forum.
At any rate, even the FreeSWITCH people don't really like him so I'm going to ignore him from now on.
Again, sorry... I'll be more careful in the future.
I'm beginning to think you are just a jerk. Perhaps it's your interaction with devs that should be called into question?
Some of your bugs look like they got a lot of good attention despite the fact that your reports are terrible...
http://www.google.com/search?q=%22diego.viola%22+site%3Aissues.asterisk.org
Your bug reports are often not well documented or easily duplicated.
I've had excellent traction on bugs and issues from the asterisk dev teams.
I even go on IRC occasionally and ask really oddball what-if questions that get answered smartly.
Have you looked at http://packages.digium.com/ or maybe about checking out the svn branch for the version you are using?
You didn't say what distro you use but if it's YUM-capable that might be an option.
Personally, I'm against precompiled binaries for Asterisk. Asterisk source doesn't have any configs all other than samples. It's up to the admin to correctly configure the server. I like sticking to SVN as it allows me to make changes and also stay up to date. It's not perfect and I highly advise regression testing the code if you go that route as svn does sometimes break. Just stay out of the bleeding-edge branches.
IMHO the biggest mistake someone can make with Asterisk and security is downloading the source and doing the "make install samples" portion of the install. It seems like often those are the generic confs I've run across when looking at a pre-existing repo version.
Hand-tuned confs don't load needless modules and also eliminate a lot of security holes. Running asterisk -c over and over again until you get things working does actually suck but in the end is worth the effort. I wonder how many installs out there still have the stupid demo cruft in their production dialplans?
DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL
Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.
http://www.linuxfoundation.org/collaborate/workgroups/cgl
I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.
We do a lot of code hacking to emulate customer troubles with presentation, etc.
For us, it's great and filled our needs way better than a commercial offering that would have done the same but with a boatload of cash.
We don't deploy Asterisk as a vendor to clients so I can't comment on production viability.
(Ironically, I just got pinged by some of our security people regarding the latest exploit and now have some code to update.)
Oh yeah: The views expressed in this post (and any other post I've made in this thread) are mine alone and do not necessarily reflect the views of my employer.
I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.
I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.
Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.
To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a bit lofty?
Errors in terminology aside... We're on the same side.
FreeSwitch is nice but doesn't fix the bad admin issue which is really what the original article is about.
Agreed. Couple that fact with the fact that a lot of the repos I've seen are built off of older iterations of the Asterisk code and it's a recipe for disaster. For example, Ubuntu has Asterisk 1.4.21.2 in the repository right now. This is directly exploitable:
http://downloads.asterisk.org/pub/security/AST-2009-003.pdf
If you run code out of repos without understanding the risks that's still an admin fail, though. Not the fault of Asterisk, per se.
What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."
Brute forced passwords are a bad administrator "endemic."
If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.
Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.
Connecting Asterisk to a public network without some sort of border control is just stupid.
You know what? It's about time Microsoft got something right? What is this? Ten versions or so?
Ubuntu wasn't really decent until around 8.
Mac? 10.6
They're just over par, I suppose.
That's a really decent idea. I work for an ILEC. Technically, I'm in translations design but as a matter of need I've been hacking Asterisk code and building really locked-down carrier-grade debian and Ubuntu internal versions. Everything I do is completely outside of my job description and I've been trying to figure out a way to document my experience when my manager doesn't even really understand what it is that I actually do anymore.
Kleeneness is next to Godelness.
