Internal Security

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#1
(Or how to spy on all calls with impunity, without any body caring)
The availability of "extensions" 555 (chanspy) and 888(ZapBarge) exposes a "naive" implementer to a "smartypants" FreePBX aware user. He may listen in to the Boss' private conversation with impunity. They should either be off (in feature codes" ) minimally, renumbered, or preferably re-implimented in a custom-extension that requires a password, The "Boss" should be made aware of this "feature" if it is enabled (Liability, anybody?)

vm_general.inc should IMHO have:-

forcename=yes
forcegreeting=yes

added to encourage new users to change their passwords ( and add greetings ) from a justifiable "new user state" of password=extension. for a similar privacy reasoning.

Code:
echo -e "forcename=yes\nforcegreeting=yes" >> /etc/asterisk/vm_general.inc
 

gbonebrake

Joined
Aug 25, 2008
Messages
18
Likes
0
Points
0
#2
Along these same lines... I'm using the free version of iSymphony in a couple places for call management. The free version has unrestricted call barge capability with no security method for restricitng this by user. Is there a way through Asterisk configuration to system wide turn barge off without breaking something else? I know very little of the underlying methods that iSymphony uses to control calls and barge, guess I need to watch the log files during the process to see what is going on.

Thanks in advance -

Greg
 

Chilling_Silence

Joined
Sep 23, 2008
Messages
488
Likes
0
Points
0
#3
Shouldnt that be:
Code:
echo -e "forcename=yes\nforcegreeting=yes" >> /etc/asterisk/vm_general.inc
You missed the backslash before the "n" (But I think its just the Forum doing that)

Appreciate the heads up, didnt know that could be done so easily! Brilliant stuff :)
Is there a force pwd change option also?

Edit: Stupid forum software keeps removing the backslash. See here: http://pastie.org/441499.txt
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
Not without scripting it (which I have but it's a little complicated being a pair of modified /var/lib/asterisk/bin/chk_vm_pwd.agi scripts , and a context wrapper) but I believe it will be a feature in FreePBX very soon as part of the "check stupid passwords, at least for extension secrets" effort.
I agree stupid software the backslash was indeed removed/var/lib/asterisk/agi-bin/
 

Members online

Latest posts

Forum statistics

Threads
30,901
Messages
130,885
Members
17,562
Latest member
colak
Top