[Freeswitch-users] Hacked FreeSWITCH mentioned on the Verge regarding bomb threats

Giovanni Maruzzelli gmaruzz at gmail.com
Wed Mar 15 12:29:59 MSK 2017


DEMO CONFIG (is a DEMO) is already:

1) printing in RED, CAPITALS, AS AN ERROR, a message ANY TIME a call is
made from a DEMO ACCOUNT
2) DEMO CONFIG HAS NO MEANS TO USE GATEWAYS, ALL CALLS ARE INTERNAL
3) DEMO CONFIG puts a DELAY, eg A PAUSE, of TEN (10) seconds before
ANSWERING (INTERNAL) CALLS

Why are we fussing about it at all?

If someone put the effort of editing and modifying the DEMO CONFIG to
circumvent all these safeguards, why you believe we can do more to revent
him to?

-giovanni

On 15 March 2017 at 06:23, Sergey Safarov <s.safarov at gmail.com> wrote:

> I can add RPM package script that's change default password to random
> Team, is required do to it?
>
> ср, 15 марта 2017, 1:13 Mario G <mario_fs at mgtech.com>:
>
>> That’s a better idea. If any phone is registered with 1234 you can’t dial
>> out any gateway. You can have a big demo but no outside connection. Going
>> outside requires changing the password on all phones.
>>
>> On Mar 14, 2017, at 2:40 PM, Michael Jerris <mike at jerris.com> wrote:
>>
>> The demo config includes no way to dial out of a gateway…
>>
>>
>> On Mar 14, 2017, at 5:06 PM, David Villasmil <david.villasmil.work at gmail.
>> com> wrote:
>>
>> IMHO, a demo config shouldn't be shipped out by default, it's very risky.
>> If everyone using freeswitch (or any other softswitch for that matter) for
>> the first time was a seasoned sysops, then yes. But this is very much not
>> the case.
>>
>> So maybe it would be safer for everyone to ship it out with a locked-down
>> config, so that user WILL learn how fs works by having to open features one
>> at a time... and then describe in the wiki how to implement the demo config
>> from a git repo.
>>
>> This way EVERYONE using fs for the first time Will know they are using a
>> demo config with everything defaulted and "open"...
>>
>> But this is just my opinion.
>> On Tue, Mar 14, 2017 at 9:58 PM Giovanni Maruzzelli <gmaruzz at gmail.com>
>> wrote:
>>
>> btw the problem is always with users/customers that change the demo
>> password "1234" (where there is a delay of 10 seconds put there by this
>> purpose)  to something like "password".
>>
>> And what I can do about this?
>>
>> I will put a safeguard against silly passwords, and you will make the
>> effort to circumvent also that safeguard because "is easier for my users"?
>>
>> On 14 March 2017 at 21:56, Giovanni Maruzzelli <gmaruzz at gmail.com> wrote:
>>
>> NO, the default password of the demo configuration is just that, a
>> DEFAULT password of a DEMO configuration.
>>
>> That is meant to DEMO just OUT OF THE BOX
>>
>> So, it must stay this way, because it just works, and is a demo
>>
>> Then, if you put a demo in production, the problem is between the monitor
>> and the seat, not in the software
>>
>> On 14 March 2017 at 21:46, David Villasmil <david.villasmil.work at gmail.
>> com> wrote:
>>
>> Make the default password very obscure ramdomized on the fly... that way
>> people will be crying because they can't figure out a password instead of
>> having noobies hacked :)
>>
>> On Tue, Mar 14, 2017 at 9:40 PM Mirko Brankovic <mirkobrankovic at gmail.com>
>> wrote:
>>
>> Indeed ;)
>>
>> On Mar 14, 2017 20:38, "Antonio Silva" <asilva at wirelessmundi.com> wrote:
>>
>> almost... until the user to test set userid = password ... and forget to
>> change it... ops... hacked...
>>
>> it's all about good practices.
>>
>> Regards,
>> António
>>
>> On 03/14/2017 07:39 PM, Mirko Brankovic wrote:
>>
>> Cance default password to uuid(), so every new install will get random
>> one ... Bulletproof :°D
>>
>> On Mar 14, 2017 19:30, "Brian West" <brian at freeswitch.org> wrote:
>>
>> This is exactly what prompted me to put the FOUR LINE CRIT statement when
>> the default password isn't changed along with a 10 second delay before
>> proceeding.  Still I see questions posted about the 10 second delay and
>> asking what it means. Not sure how to make it more clear.
>>
>> /b
>>
>>
>> On Tue, Mar 14, 2017 at 1:19 PM, Giovanni Maruzzelli <gmaruzz at gmail.com>
>> wrote:
>>
>> Is nice because they mention FreeSWITCH in the tag of the link, but the
>> link is about FreePBX.
>>
>> Anyway, it's true: if you do not use the standard security practice, and
>> leave your FreeSWITCH with standard password "1234", or maybe you change
>> the standard password to "password", you probably will be hacked, and phone
>> calls will be originated from your FreeSWITCH that you do not want to
>> originate.
>>
>> But, man, that's what you, and me, and anyone is expecting.
>>
>> Also, please do not drive wrong way in the autobahn :))
>>
>> -giovanni
>>
>>
>> On 14 March 2017 at 16:42, Mario G <mario_fs at mgtech.com> wrote:
>>
>> Thought some may be interested in this. I first saw it today via Apple
>> News… Related to tracing bomb threats and Jewish attacks… FreeSWITCH
>> mentioned twice.
>> http://www.theverge.com/2017/3/14/14913118/jcc-bomb-
>> threats-anonymous-phone-calls-pdx-hacking
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 

Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170315/6cf1017b/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list