[Freeswitch-users] remove in local SDP word FREESWITCH

Dmitry Lysenko dvl36.ripe.nick at gmail.com
Mon Jun 24 11:07:48 MSD 2013


Freeswitch is open source and that's great. So checking  the sources will
resolve this problem.


2013/6/24 Ken Rice <krice at freeswitch.org>

>  Which breaks actually breaks things... For example... We actually put FS
> into a special mode when we detect sonus... Why would we do this? Because
> sonus has broken RTP and we have to do this for compatibility reasons...
> Theres other things that may happen along these lines also...
>
>
>
> On 6/24/13 1:19 AM, "John M" <j_mj at aol.com> wrote:
>
> I don't think anyone expects that security by obscurity is all you need ..
> but in terms of tools that you use to secure your network it's a valid
> addition.
>
> Kinda like putting your hand over the keypad while entering your PIN at
> the ATM, it's not all you need to do but it's an extra step to help keep
> your account secure.
>
> If I present my server as an asterisk server and the attacker has a
> special set of scripts to attack Asterisk .. he'll probably/might use them
> and when it fails .. move on.
>
> In regard to the ability to be able to disguise the switch name .. i think
> this is a valid reason.
>
> Another one that comes to mind is competition .. we work in a tight local
> market and have some competitors that follow us liek sheep .. whatever
> price we set they follow.. etc..
>
> They run similar platforms hosted on Asterisk servers .. we are switching
> to FS and this is going to give us an edge .. I don't want these
> competitors to know that we are using a superior platform .. so I modify
> the name so if they are connected to us via a psuedo account to monitor our
> features they still think we're using Asterisk...
>
>
>
> -----Original Message-----
> From: Steven Ayre <steveayre at gmail.com>
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Sent: Fri, Jun 21, 2013 6:05 pm
> Subject: Re: [Freeswitch-users] remove in local SDP word FREESWITCH
>
> 2) *Security trough obscurity != security* its always better than
> nothing. " hey you don't need to guess the
> the software I'm using , I'm giving the info for free just find an entry
> point  and you got it ...."
>
>
> Actually I'd argue the opposite. Security through obscurity often makes
> people assume they're secure and therefore neglect securing their systems
> in the places that actually matter.
>
> The only argument I can really see of hiding that you're running $version
> of $product is that an bug in that $version means an exploit exists.
>
> If that's the case then you need to upgrade to a patched copy of $product
> - you can NOT rely on the fact that people will not realise that they can
> use the exploit because you're hiding what you're running.
>
> The flaw still exists and attackers might either a) guess you're using
> $product and try the exploit anyway or b) have their bot just randomly try
> every exploit in the book against you until one works in which case they
> don't even need to know you're using $product.
>
> The things that matte are actually verifying your authentication is
> working correctly, you're running the latest software, you're following
> software updates / security announcements, etc.
>
> Besides even when $product/$version are hidden they can often be found
> through fingerprinting by looking at differing behaviour between different
> products and within a product between versions.
>
> -Steve
>
>
>
>
> On 21 June 2013 07:59, Antonio Teixeira <eagle.antonio at gmail.com> wrote:
>
>
>
> @Ken
>  I think we need to drop into the real world...
>
>  1) Ok .,... Don't forget to say thanks to Debian , CentOs , Fedora , PHP
> , Python , Microsoft , all the authors of the OpenSource Libs , the creator
> of Make , the creator of the IDE that the Dev team uses ,  etc etc when you
> deliver the next project to your client ...
>
>  2)
>  *Security trough obscurity != security* its always better than nothing.
> " hey you don't need to guess the
>  the software I'm using , I'm giving the info for free just find an entry
> point  and you got it ...."
>
>  I could also imagine you agree with showing the version of the software
> in the HTPP headers (stuff that happens on some webservers/libs ( from my
> ming i can recall Django?!).
>
>  3)
>  The clients pays it doesn't really care about what software you use (
> unless he fears some patent infringement) he wants results.
>
>  4)
>  No , Compliance could be internal or external the end-client could simply
> say "i don't want the freeswitch brand".
>
>
>  ---- ///// ----
>  @all
>  I don't know you guys but my daily work is developing software for some
> fairly large financial institutions and sincerely i think you are all over
> reacting to this thing.
>  Yes if you open-source something you will get part of your software
> stolen , changed or use in a way you were not expecting and not given
> credit for , that's life .If you don't want it , close the source , resell
> it , ask for NDA's , etc.
>  In my daily work me and my collegues use alot of open source ( contrary
> to the popular belief) , closed source and everything in between and you
> don't expect a public statement thanking anyone for anything.
>
>  This is the way life works and with open-source this is our current world
> ( i think the FS Team could even offer a fully custom branded solution) so
> it could help monetize the project.
>
>  And before you start thinking yes i bought G729 licenses , the FS Book
> even before it was out and no to many miles between me and Gluecon , yes i
> know airplanes exist :D.
>
>  P.S - I Also assume that you all as sysadmins once found a problem that a
> blogger may have solved and on your final report to the administration you
> didn't wrote " problem solved by Blogger XXXXXX"....
>
>  And never forget he is just the mailman sometimes the boss wants
> something ( even if not morally correct ) and you have to do it.
>  But the point raised by Anthony regarding the SDP "freeswitch flag" is
> important and you be featured on the wiki :)
>
>  Antonio Teixeira
>
>
>
>  On 6/19/13 3:49 PM, Ken Rice wrote:
>
>
>
>
> Ok... Lets look at these...
>
> Branding... I don't want to show people that I'm using F/OSS software for
> running my for profit business so I can tell them I'm using either
> ${some_comercial_platform} or ${we_developed_this_ourselves}
>
> Security/Security Requirements - Security throught obscurity != security...
>
> Client Requirements - That's a new one one... Unless client is <see
> branding>
>
> Compliance - isnt this the same thing as see security
>
>
> On 6/19/13 8:44 AM, "Antonio Teixeira" <eagle.antonio at gmail.com> <
> mailto:eagle.antonio at gmail.com <eagle.antonio at gmail.com>>  wrote:
>
>
>
>
> I could think off
>
> Branding
> Security
> Client Requirements
> Security Requirements
> Compliance
>
>
> On 6/19/13 2:37 PM, Michael Jerris wrote:
>
>
>
> Why would you want to do that?
>
> On Jun 19, 2013, at 9:28 AM, Abdullah <abdullah at smonte.com> <
> mailto:abdullah at smonte.com <abdullah at smonte.com>>  wrote:
>
>
>
>
> HI ALL ,
>
> please help me ,how to change or remove o=*"FreeSWITCH"* in free switch Cli
> Log .
>
> any idea ??
>
>
>
> o=FreeSWITCH 1369449071 1369449072 IN IP4 10.10.50.1
>    s=FreeSWITCH
>    c=IN IP4 10.10.50.1
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> ------------------------------
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> --
> Ken
> *http://www.FreeSWITCH.org
> http://www.ClueCon.com
> http://www.OSTAG.org
> *irc.freenode.net #freeswitch
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130624/b3a8a3d9/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list