[Freeswitch-users] Hacked FreeSWITCH mentioned on the Verge regarding bomb threats

Michael Jerris mike at jerris.com
Wed Mar 15 00:40:17 MSK 2017


The demo config includes no way to dial out of a gateway… 


> On Mar 14, 2017, at 5:06 PM, David Villasmil <david.villasmil.work at gmail.com> wrote:
> 
> IMHO, a demo config shouldn't be shipped out by default, it's very risky. If everyone using freeswitch (or any other softswitch for that matter) for the first time was a seasoned sysops, then yes. But this is very much not the case. 
> 
> So maybe it would be safer for everyone to ship it out with a locked-down config, so that user WILL learn how fs works by having to open features one at a time... and then describe in the wiki how to implement the demo config from a git repo.
> 
> This way EVERYONE using fs for the first time Will know they are using a demo config with everything defaulted and "open"...
> 
> But this is just my opinion.
> On Tue, Mar 14, 2017 at 9:58 PM Giovanni Maruzzelli <gmaruzz at gmail.com <mailto:gmaruzz at gmail.com>> wrote:
> btw the problem is always with users/customers that change the demo password "1234" (where there is a delay of 10 seconds put there by this purpose)  to something like "password".
> 
> And what I can do about this?
> 
> I will put a safeguard against silly passwords, and you will make the effort to circumvent also that safeguard because "is easier for my users"?
> 
> On 14 March 2017 at 21:56, Giovanni Maruzzelli <gmaruzz at gmail.com <mailto:gmaruzz at gmail.com>> wrote:
> NO, the default password of the demo configuration is just that, a DEFAULT password of a DEMO configuration.
> 
> That is meant to DEMO just OUT OF THE BOX
> 
> So, it must stay this way, because it just works, and is a demo
> 
> Then, if you put a demo in production, the problem is between the monitor and the seat, not in the software
> 
> 
> On 14 March 2017 at 21:46, David Villasmil <david.villasmil.work at gmail.com <mailto:david.villasmil.work at gmail.com>> wrote:
> Make the default password very obscure ramdomized on the fly... that way people will be crying because they can't figure out a password instead of having noobies hacked :)
> 
> On Tue, Mar 14, 2017 at 9:40 PM Mirko Brankovic <mirkobrankovic at gmail.com <mailto:mirkobrankovic at gmail.com>> wrote:
> Indeed ;)
> 
> On Mar 14, 2017 20:38, "Antonio Silva" <asilva at wirelessmundi.com <mailto:asilva at wirelessmundi.com>> wrote:
> almost... until the user to test set userid = password ... and forget to change it... ops... hacked... 
> 
> it's all about good practices.
> 
> Regards,
> António
> 
> On 03/14/2017 07:39 PM, Mirko Brankovic wrote:
>> Cance default password to uuid(), so every new install will get random one ... Bulletproof :°D
>> 
>> On Mar 14, 2017 19:30, "Brian West" <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>> This is exactly what prompted me to put the FOUR LINE CRIT statement when the default password isn't changed along with a 10 second delay before proceeding.  Still I see questions posted about the 10 second delay and asking what it means. Not sure how to make it more clear.
>> 
>> /b
>> 
>> 
>> On Tue, Mar 14, 2017 at 1:19 PM, Giovanni Maruzzelli <gmaruzz at gmail.com <mailto:gmaruzz at gmail.com>> wrote:
>> Is nice because they mention FreeSWITCH in the tag of the link, but the link is about FreePBX.
>> 
>> Anyway, it's true: if you do not use the standard security practice, and leave your FreeSWITCH with standard password "1234", or maybe you change the standard password to "password", you probably will be hacked, and phone calls will be originated from your FreeSWITCH that you do not want to originate.
>> 
>> But, man, that's what you, and me, and anyone is expecting.
>> 
>> Also, please do not drive wrong way in the autobahn :))
>> 
>> -giovanni
>> 
>> 
>> On 14 March 2017 at 16:42, Mario G <mario_fs at mgtech.com <mailto:mario_fs at mgtech.com>> wrote:
>> Thought some may be interested in this. I first saw it today via Apple News… Related to tracing bomb threats and Jewish attacks… FreeSWITCH mentioned twice.
>> http://www.theverge.com/2017/3/14/14913118/jcc-bomb-threats-anonymous-phone-calls-pdx-hacking <http://www.theverge.com/2017/3/14/14913118/jcc-bomb-threats-anonymous-phone-calls-pdx-hacking>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170314/e00ffc8c/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list