FYI About Phonebo.cx

phonebo.cx

New Member
Joined
Jul 25, 2016
Messages
17
Reaction score
3
I'm sorry it's taken so long to post more about this, but, we have our reasons. Hopefully this post will expand on who we are, and what we want to do.

Firstly, a bit of background about us. There's 4 of us, and we refer to ourselves, and you may refer to us, as dev1, dev2, dev3 and dev4. I'm dev4. I'm the only one who is a native English speaker and I asked to be the one that does most of the public announcements.

Dev1 and Dev3 are from India, and none of us know where Dev2 is from (I'm guessing China, just because of some of his/her commits). I'm from the US, and I'm the one that started this and wanted us to be Anonymous.

Can you try to guess who we are? Sure. We'll never admit it! However, there may be a time in the future, when we DO need to publicly verify who we are. In that case, you will be able to trust any message signed by bitcoin ID 1ezbaYZnCF7NX7egSa5EDPvgoCjgERPdL - this is confirmed by our twitter here:
How did we meet? In IRC and various other anonymous hangouts, where we discovered we all shared a common interest in VoIP!

Why so much secrecy? That's the big question. There's a lot of things that are scary in VoIP. There's indemnities, E911, spam, patents, trolls, lawsuits, and a lot of other things that we just don't want to get involved in. The easiest way to not get involved in it is to not tell anyone who we are. As we all are large fans of Open Source, and we have no interested in making of money, we don't feel any need to make ourselves public. (kat.cr was exposed because of his money trail, for example!) We hope our code will speak for us.

What are we planning on doing? We've been gifted some AWS resources that will cover our first stage.

The first part is taking FreePBX 13 and making sure that there are no hidden traps inside it. We have discovered a couple of hooks as part of our original brief security audit that are used as part of the (we assume) sysadmin module, but we want to investigate it further.

The second part is setting up a new mirror server and making sure it keeps up to date with the Schmooze servers. We have already written some sample code for this (it seems very simple), but making it happen automatically is going to be the hard part.

Luckily for us, git is very smart for these sort of things, and dev2 knows everything about it, and will be helping with those parts.

From there, we shall be being good open source community members, and sending our changes back as pull requests to Schmooze, to see if they take them! I'm sure that'll be funny to watch, if they refuse them.

One of the discussions we've had internally is what to do about module signing. This is another reason for us to be anonymous. We strongly agree that module signatures are a great idea. We strongly disagree with Sangoma being the only people who can sign keys to produce modules. So one of the things we'll be doing is making sure that multiple 'root' keys can be used. At the moment, only one key is hard-coded in there, which is the Sangoma key. One of our first pull requests will be to make that master key replaceable, and appendable.

This gets into the point that Sangoma are making, that they may be liable if someone does bad stuff with a signed key. That's not a problem for us, we don't care. We're anonymous! Who are you going to sue? Ghostbusters!

That was the end of the document we were all working on, and if you have any questions, please feel free to ask them here, on twitter (@phonebocx) or on the FreePBX Forums (we have a thread there - community.freepbx.org/t/36132/ that you may read).

We're all human, so if we do give out conflicting information, please forgive us, and make sure you ask for clarification.

Thanks!

The phonebo.cx team.
 

phonebo.cx

New Member
Joined
Jul 25, 2016
Messages
17
Reaction score
3
Oh, we are banned from dslreports because they think we are spammers. So please do not talk about us there, we can not reply. Please only talk here or on the freepbx forums (or twitter!)
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
I have no side to this argument but am intrigued, it seems well intentioned but a litttle unrealistic in the long term.

Tor and bitcoin are however "fiat" based, that means we have to trust the media and that trust is only worth the trust you credit them with, (caveate emptor)

As a cynic I would have to ask "why should you be trusted?" and is Mr. Moti a good guy? (that's for background :) )

Otherwise, "go for it" !!
 

phonebo.cx

New Member
Joined
Jul 25, 2016
Messages
17
Reaction score
3
> Tor and bitcoin are however "fiat" based

I'm sorry, I don't understand. We are using Tor and Bitcoin for anonymity, for explicitly no trust. That is why we are using it. As the X-Files said, 'Trust No One'.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Exactly, "trust no One" why should we trust you? It would not be the first time that an identity hid behind anonymity, and who knows what "bad actor" might be possible be "pulling your strings"?

I'm not in any way suggesting that you are that bad actor, but without disclosure you surely expose yourself to that criticism, especially from a long term cynic. ( Me).

To fork FreePBX, that is about 200K lines of code where a problem might be hidden. That's a big trust we would have to accept from you, no?

Regards
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
One would hope that code changes will be documented so that they can be independently verified. That would go a long way toward establishing trust.

The actual code changes to transform the existing product into a non-proprietary one probably are not that substantial although we have not examined version 13 personally.
 

cyberco

New Member
Joined
Aug 30, 2010
Messages
10
Reaction score
5
Why would anyone use your fork in anything but a hobby enviorment.
Your comment "This gets into the point that Sangoma are making, that they may be liable if someone does bad stuff with a signed key. That's not a problem for us, we don't care. We're anonymous! Who are you going to sue? Ghostbusters!"
sums it up really. No one would risk it in a commercial environment. and as you also say elsewhere you are not offering any support, telling people to go to the freepbx community forums for that...
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
gift-horse.jpg
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Not without a little irony, apparently Ronnie had a source:-

Доверяй, но проверяй
 

phonebo.cx

New Member
Joined
Jul 25, 2016
Messages
17
Reaction score
3
There seems to be a bit of confusion that was brought on by Dickos comment. We explicitly don't want anyone to trust us. There is no need to trust us. We're taking FreePBX, removing a few small pieces here and there, and pushing it straight back to github. Anyone can do a diff against the two repositories to see the differences. As things go on, we expect Sangoma will either accept or reject our pull requests. Let us see what happens from there on.

The latest good news is that a web designer has approached us and is helping out with our web design. We're explicitly not going to be providing a forum, so it will be a very simple website with only updates and status.

Once again to clarify; We are not asking you for anything - not your trust, not your money, not even your time. We are giving you everything. We will do this even if it is ignored. However, the excitement that has been generated has helped already, with the web designer, which is excellent.

Thank you for your time.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I personally welcome you guys and can't wait to see what you bring to the table. I think without some efforts like yours, the original intent of FreePBX and what it offered could be lost by Sangoma. Having it on Github allows thousands of people to help in keeping it up to date and even making a better product.

Please get involved with some of the conversations on the forum, giving back such as you are doing and getting involved will surely alleviate some of the concern and have people trust you more.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The latest good news is that a web designer has approached us and is helping out with our web design.

However, the excitement that has been generated has helped already, with the web designer, which is excellent.

You shouldn't need much in the way of a new web design. Remove the FreePBX-centric artwork, and you should be good to go. The rest is GPL3 code. Take a look at the Incredible PBX ISO if you need some free artwork to fill in the missing pieces. Ours is pure GPL code top-to-bottom with NoGotchas. :arabia:
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
A quick look at the unique licenses you will need to contend with in FreePBX 13 (completely non commercial) :-

for i in `find /var/www/html/admin -iname LICENSE`;do md5sum $i;done|sort -n |awk '{print $2, $1}'|uniq -f 1|awk '{print $1}'

So it's a bit of a mish-mash and certainly not going to be easy legally, there are lower level code like mp3 and mysql that also have hindrances . If however all those licenses are acceptable to you, then I can't see the point of a fork and the risk of a lawsuit aginst us the trusting implimentors .

Further :--

grep -riE "trademark|license|copywrite" /var/www/html/admin/* |wc -l
14229

as you can see that would be a labor of love and without any desired recompense, I remain cynical.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@dicko Sorry, but GPL code isn't supposed to be this way. But there is something to be said for letting folks install their own operating system and then running an installer to get the remaining pieces you need.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Here a list of Commercial Modules, if you rely on ANY one of them, then this concept is not for you

Bria Cloud Solutions Stable Sangoma Technologies Corporation
Class of Service Stable Sangoma Technologies Corporation
Phone Apps Stable Sangoma Technologies Corporation
Sangoma MCU Stable Sangoma Technologies Corporation
System Admin Stable Sangoma Technologies Corporation
Zulu Stable Sangoma Technologies Corporation
Appointment Reminder Stable Sangoma Technologies Corporation
Broadcast Stable Sangoma Technologies Corporation
CallerID Managment Stable Sangoma Technologies Corporation
Conference Pro Stable Sangoma Technologies Corporation
Paging Pro Stable Sangoma Technologies Corporation
Parking Pro Stable Sangoma Technologies Corporation
Queues Pro Stable Sangoma Technologies Corporation
Voicemail Notifications Stable Sangoma Technologies Corporation
Web Callback Stable Sangoma Technologies Corporation
Extension Routes Stable Sangoma Technologies Corporation
Outbound Call Limit Stable Sangoma Technologies Corporation
SIPSTATION Stable Sangoma Technologies Corporation
SMS Stable Sangoma Technologies Corporation
Call Recording Report Stable Sangoma Technologies Corporation
Pinsets Pro Stable Sangoma Technologies Corporation
Queue Reports Stable Sangoma Technologies Corporation
Voicemail Reports Stable Sangoma Technologies Corporation
EndPoint Manager Stable Sangoma Technologies Corporation
Fax Configuration Professional Stable Sangoma Technologies Corporation
High Availability Services Stable Sangoma Technologies Corporation

but I must say that some are trivial and I suspect that others might just include "prior art" from the history of FreePBX development by the open source community, but we will never know because Its a Zen* thing

On the subject of signed signatures, I would ask that you look at what it does, it is intrinsically very limited, it notices changes between what you have right now and what you had a little while ago within it'\s bailiwick, it doesn't however catch intrusions that are outside of FreePBX per-se , i.e. html/rootkit vulnerabilities that ultimately impact /var/www/html/* or /etc/asterisk/*, there is no recovery , just a panic. I have used a different method (so far effectively) for years:-

http://community.freepbx.org/t/any-...re-checking-for-an-individual-module/28261/98

It does all that a "signature" does because it is effectively exactly that (using diff ;-) ) , it only relies on you to trust yourself and read your emails, and further provides a method to recover over many months in in the event of unnoticed penetration and also recover lost emails, if done to a remote machine, then disaster recovery also.

JM2CWAE
 
Last edited:

phonebo.cx

New Member
Joined
Jul 25, 2016
Messages
17
Reaction score
3
On the subject of signed signatures, I would ask that you look at what it does,

We have. We are happy with this implementation, as it does what it is designed to do. However, it does not allow third parties to act as signatories easliy. This is one of the first things we are going to fix.

This can be easily done by changing the hard-coded GPG key in GPG.class.php, but that just moves the authority. We aim to open the authority up, like your web browser has multiple trusted CAs. That is the significant design flaw in module signatures.

We have also discovered issues with PHP 5.6 and higher. We will not be supporting PHP 5.6 or 7, as only FreePBX 14 is meant to work with that (there are many changes, please look at core and framework 14 branches yourself for the commits). This means we are limiting our usability of FreePBX 13 to Ubuntu 14.04 and CentOS 7. This will be put on the website soon.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
We have. We are happy with this implementation, as it does what it is designed to do. However, it does not allow third parties to act as signatories easliy. This is one of the first things we are going to fix.

This can be easily done by changing the hard-coded GPG key in GPG.class.php, but that just moves the authority. We aim to open the authority up, like your web browser has multiple trusted CAs. That is the significant design flaw in module signatures.

We have also discovered issues with PHP 5.6 and higher. We will not be supporting PHP 5.6 or 7, as only FreePBX 14 is meant to work with that (there are many changes, please look at core and framework 14 branches yourself for the commits). This means we are limiting our usability of FreePBX 13 to Ubuntu 14.04 and CentOS 7. This will be put on the website soon.

Then you will surely agree that is might give a very "false sense of security", no? asterisk is driven by it's dialplan, not php or freepbx directly and the last few noticed penetrations where not caught they only watch the code, nobody is watching the dialplan.

Perhaps a shame you left out Debian. Wouldn't you need to "rebrand" Centos?
 
Last edited:

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top