Open Source has bad reputation in Israel!

The Open Source movement had been in existence since the 60’s, and we can surely find its roots somewhere along the hippie culture and movement. While Free-Love had transcended to Free-Code, or to be more exact – Free-Knowledge, the question of the sources for your Open Source is still questionable. Comparing it with the Sixties, it’s easy to compare the various “Free-Love” movements with the various “Open Source Paradigms” of today. While GPL, BSD, MPL, ZPL and others preach for Open Source adaptation – each one took a different path.

While the paths differ, but the end result is more or less the same, all suffer from a serious lack – a bad reputation. While in the early 2000, Open Source usually meant – highly stable, state of the art technology, increased ROI, lowered TCO and most importantly for many – COOL. Coming 2008, Open Source is starting to get a bad rep, due to the ever increasing simplicity of entering the Open Source world.

I started using Linux somewhere around 1994. My first Linux distribution was a Slackware, with a kernel of 1.0.28 – I needed 99 floppy disks in order to install the system, and it took me a few hours to do so. However, I can’t forget my amazement at seeing the X-Windows environment booting up, and more than that, being completely overwhelmed with the fact that I have a fully functional UNIX environment in my house, just like the one I had in my Army office. Now, I basically had no one to teach me this new environment, so, I had to take my UNIX skills (Solaris and AIX) and adopt to Slackware Linux – it took me a few weeks to get around, but I got around and stuck to it ever since.

Now, let’s jump 14 years forward in time. The year is 2008, a graphic based environment for Linux is no longer a myth and it is getting better and better by the day. People are starting to adopt Linux beyond the academic and the ISP market sectors, slowly integrating Linux based distributions (Mandriva, Ubutnu) on to their desktops and notebooks. Linux is become simple and appealing to everybody.

When something becomes easy to use, people make good use of it – a good example is the Asterisk project. Projects such as TrixBox (AKA: AsteriskAtHome), PBXinaFlash, AsteriskNOW and others had made Asterisk into a simple installation product, that can be installed and managed by any half-decent sysadmin. Problem is, while a half-decent sysadmin will do a fair job of maintaining the system, a shitty sysadmin will crap everything to hell. But hell, that is true for almost anything related to computers or technology – there’s nothing new here! Well, there is nothing new and everything is now new. People who were more or less selling shoes 3 years, then 2 years decided to sell ISP routers, then a year ago started selling IP phones, are now selling Asterisk based systems – using these distibutions, while having no idea what they are selling or promoting. For these people, Asterisk is nothing more beyond FreePBX – once encountering deeper issues, will simply abandon the customer – leaving the Open Source product with a bad rap with the, now disappointed, customer.

I want to believe that other places in the world are different, I want to believe that Israel will reach a point in time when this doesn’t happen – however, I guess that only time will tell and I surely hope this will change in Israel.

Get Ready – isrAsterisk 2009 is coming

It’s been WAY TOO LONG, since isrAsterisk 2007. On January 2007, the first ever Asterisk convention took place in Israel, since then, nothing had really happend in Israel – in terms of community events. It’s high time to have another one, and hopefully, get the ball rolling into a state where we will have one each year.

Unlike the previous event, which was sponsored and controlled fully by Atelis (as no other Asterisk vendor in Israel showed willingness to pitch in) – this event is a true community event. The purpose of the event is to bring the Israeli community into a single location for a few hours, talk about Asterisk, talk about the future of Asterisk, learn from the community and most importantly – meet with the people behind the scenes of the Asterisk community in Israel.

I really hope that this time round we’ll be able to get more funding, as isrAsterisk 2008 never took place due to lack of funding. Who knows, maybe Digium would be willing to add some funds to the fund raiser on the right, and make things easier and faster 😉

Thoughts of Virtualization – Part III – Multiple Asterisk Gateways

While this post is titled “Thoughts of Virtualizaiton”, the applications described can be easily applied to non-VM type installations.

Virtualization is a wonderful tool, it enables rapid growth and rapid deployment of new servers and services. However, just like any other platform that tends to grow across the time line, it poses the same annoying issue of managing a large system, especially when dealing with Asterisk based installations.

Let us imagine the following scenario: A Calling Card company while utilizes 8 different Asterisk application servers, are utilizing a single Database servers cluster and are receiving inbound calls from various sources and load balanced across all Asterisk application servers. What I’ve described above is more or less the practice most (if not) all calling card operators deploy. No matter if the usage is A2Billing, MOR, ASTBILL – the methodology is more or less the same.

One of the bigger issues with such an installation is debugging of a running session, more over, the ability to debug a session after it is finished. This situation is caused by a simple, yet annoying issue, we are operating within a “zero-knowledge” system, where we have no precognition of where a specific call will be handled utilizing our cluster. Now, if you are an experienced sysadmin, you would most probably do the following:

  1. SSH to all your Asterisk servers.
  2. Tile all consoles on your desktop.
  3. Start the test – and hope your eyes are fast enough to capture the right gateway.

Well, this is the normal practice with most people – but I have to admit it’s kind of annoying. Now, let’s imagine that we are now building our system from scratch, we’re not using A2Billing or any of the other Open Source products, we simply build our own application framework. So, what do we need to do in order to keep track of our system correctly?

Step 1: Consolidate

Consolidate the messages coming from each of your gateways to a single logging facility. The best track would be to utilize some form of Syslog facility. For example, all the scripts and network services that I develop utilize a clear and concise interface to syslog. I usually re-direct the syslog facility that I use to an external server, thus, I get all the logs on a single syslog file system.

If you are worried about I/O issues on the syslog server, you can always create a “syslog-proxy” using tools such as memcached or others.

Step 2: Identify

Your syslog write function should always include a prefix indicating the name of the generating Asterisk server. For example, have something like the following prefix your syslog entry:

Dec 14 21:51:32 pbx [PBX01/6d6d6423a2244aa71980e5a5b437919e/check_pincode[22537]: agiParameters: check_pincode

While the syslog facility will include your generating hostname, when duplication VM’s, this would be a really good practice.

Step 3: Analyse

Once your logs are consolidated to a single environment, it should be fairly simple for you to go about and analyse these in a pre-defined routine. There is little to gain from analysing the logs on-the-fly, but analysing it every 5/10/15 minutes will prove worthwhile.

Step 4: Audit

Auditing is good – as long as you keep a clear view of what you audit and what you don’t. Audit key points in your application to a database can save you a whole lot of time of debugging – just make sure your audit is clear.

Keep the above in mind and you should be just fine creating any scale of platform.

FBI Claims Asterisk is unsafe – what a load of bull

After seeing well too many movies about the US and after visiting the US for a few times, many people tend to disrespect the FBI in the USA. While I have much respect for most law enforcement agencies, wherever these are located in the world, I must admit, that the latest warning from the FBI regarding Asterisk borderlines pure hystria and complete misunderstanding of the actual issue.

On Dec 8th, the FBI had issued the following warning:

New Technique Utilizing Private Branch Exchange (PBX) Systems To Conduct Vishing Attacks

The FBI has received information concerning a new technique used to conduct vishingi attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXii systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

http://www.ic3.gov/media/2008/081205-2.aspx

Now, after a full weekend of frenzy trying to understand the cryptic warning the IC3 had issues, it was gathered that it is referring to an old time bug, related to Asterisk distributions prior to 1.4.18. Being familiar with the particular bug and the exploitation method – I can say this: They surely have no idea what they are talking about!

The exploitation of the bug requires several pre-requirements:

  • A certain IAX2 configuration has to be deployed
  • A certain version of Asterisk must be used
  • A certain form of dialplan has to be existing
  • You Asterisk server needs to be available on the Internet

Now, even when these 4 are met, the exploitation isn’t all that simple and that straight forward. So, in other words, if you are not utilizing any of the above, you can rest assured that your system is fine. In any case, any system is as secured as the dumbest user (in our case developer/sysamdin) who uses it.

Today is a historic day

Today is a historic day – and I’m not referring to the fact that my birthday is today!

Israel had finally adopted the anti-spam act, where companies are no longer allowed to send you spam email, unless you had specifically granted them the permission to do so. While the act in itself isn’t a new one in the world, it is surely a turning point in the Israeli market.

Over the course of the Internet’s existence in Israel, spam was more or less a given evil that all of us were required to endure. While initially is was more or less non-targeted, brute-force enabled spam, as the years progressed – it became more and more sophisticated and targeted. Unlike the US, where most ISP’s proud themselves by not allowing SPAM providers work with them – Israel went the exact way around.

I can easily recall a period of time I was working at one of Israel’s ISP’s, which was using a SUN Solaris based mail system. One of the customers wanted to utilize that system to send hundreds of thousands of emails to people, however, the system wasn’t able to carry the load. I was recruited to the task under the false pretence that the company (the ISP) needed additional mail-relays. I remember building one of the biggest mail relays I’ve even seen (well, at least in 1999) – a cluster of 6 Linux servers running Qmail. I later on learned that my highly evolved MX relay environment was actually re-configured to allow open relaying from specific IP numbers, thus, allowing spammers to spam from that specific ISP at ease. In addition, later on, the same ISP went on selling its email lists to spam databases as “verified email lists”, charging almost a dollar per email (over 50,000 subscribers in the list).

Over the course of the past 3 weeks, I’ve been getting emails from various emails I’ve been trying to get off from, asking me to confirm my membership with the list. I hadn’t confirmed these, simply waiting and lurking for the first spam message that comes in from one of these lists – and immediately following with a complaint to receive my 1000 Shekels for receiving their unsolicited spam.

So, in my book, December 1st 2008 is a day to remember and honor – and I will surely do so for the years to come (at least until some government ass-hole comes along and negates the act that is).