Observium phones home?
Hi,
Can any of the devs explain why Observium phones home (to update.observium.org) when it runs discover.php? What data is being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.org?
Thanks,
Dermot
On 2013-05-10 12:58, Dermot Williams wrote:
Hi,
Can any of the devs explain why Observium phones home (to update.observium.org [1]) when it runs discover.php? What data is being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.org [2]?
Observium is collecting your passwords for analysis.
adam.
The fact that I could read the PHP in question to see what it's doing is beside the point. Setting aside Adam's recent (in the last hour) ninja-edit of the FAQ to cover this topic, adding a phone-home function to Observium that isn't/wasn't advertised and (assuming you've discovered that Observium phones home in the first place) can't easily be opted out of is disingenuous and worrying.
Adam's dismissal of my legitimate question as trolling is pretty fucking disingenuous as well, given the nature of what we're talking about. Equally, the suggestion that I'm only asking about this since Adam published the usage stats page 'earlier' is pretty facile. If that page had existed when I discovered this behaviour, I wouldn't asking the question.
Finally, this phone-home feature is relatively new as far as I can tell and I don't recall an email to the list announcing it.
Ah well, Observium - it was nice while it lasted.
Dermot
On Fri, May 10, 2013 at 1:02 PM, Adam Armstrong adama@memetic.org wrote:
On 2013-05-10 12:58, Dermot Williams wrote:
Hi,
Can any of the devs explain why Observium phones home (to update.observium.org [1]) when it runs discover.php? What data is
being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.org [2]?
Observium is collecting your passwords for analysis.
adam. ______________________________**_________________ observium mailing list observium@observium.org http://postman.memetic.org/**cgi-bin/mailman/listinfo/**observiumhttp://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 2013-05-10 13:25, Dermot Williams wrote:
The fact that I could read the PHP in question to see what it's doing is beside the point. Setting aside Adam's recent (in the last hour) ninja-edit of the FAQ to cover this topic, adding a phone-home function to Observium that isn't/wasn't advertised and (assuming you've discovered that Observium phones home in the first place) can't easily be opted out of is disingenuous and worrying.
I'm not sure if it's possible to ninja-edit a Wiki where the change log is public.
I added the FAQ entry at the suggestion of another user.
The function is documented in defaults.inc.php, along with a simple method of disabling it.
You weren't expecting free software to have comprehensive documentation, were you?
Adam's dismissal of my legitimate question as trolling is pretty fucking disingenuous as well, given the nature of what we're talking about. Equally, the suggestion that I'm only asking about this since Adam published the usage stats page 'earlier' is pretty facile. If that page had existed when I discovered this behaviour, I wouldn't asking the question.
Yes. Trolling because you didn't ask anything which wasn't already answered by the page which prompted your question.
Finally, this phone-home feature is relatively new as far as I can tell and I don't recall an email to the list announcing it.
It's been there for 3 years. Most of the time it was broken, though.
We added the count of OS types about 2 years ago, when the code was moved to an include.
http://fisheye.observium.org:8060/changelog/Observium?cs=2253
We only just got around to having a look at the statistics yesterday, though. :)
Ah well, Observium - it was nice while it lasted.
Have fun with Cacti. I hear they are tin-foil-hat-friendly!
adam.
I see the points on both sides here. Is what is being sent an issue, from what I see, no.
However, the fact it is has at least breached one of my contractual agreements, and even being an Observium user for a long time, I wasn't aware of this either and I have read much of what is online docs wise. I haven't read the contents of all files as I shouldn't need to. At least if I get a security team RFI I can reply with knowledge vs finding out the hard way - now that I wouldn't have been happy with.
My view would be to put this into config.php and therefore a little more in your face. Default it to on, but its there and easy to turn off. One could argue that if its on and prompts during a discover run might be a nice touch too.
Several open source packages collect data for this reason but usually spit out that it is enabled, etc, etc.
If its over stated then there can never be any assumptions or questions raised over it. It sounds like online documentation of this has now, recently, been added.
Just my $0.02 on the topic.
On 10 May 2013, at 14:25, Dermot Williams dermot@deadlocked.org wrote:
The fact that I could read the PHP in question to see what it's doing is beside the point. Setting aside Adam's recent (in the last hour) ninja-edit of the FAQ to cover this topic, adding a phone-home function to Observium that isn't/wasn't advertised and (assuming you've discovered that Observium phones home in the first place) can't easily be opted out of is disingenuous and worrying.
Adam's dismissal of my legitimate question as trolling is pretty fucking disingenuous as well, given the nature of what we're talking about. Equally, the suggestion that I'm only asking about this since Adam published the usage stats page 'earlier' is pretty facile. If that page had existed when I discovered this behaviour, I wouldn't asking the question.
Finally, this phone-home feature is relatively new as far as I can tell and I don't recall an email to the list announcing it.
Ah well, Observium - it was nice while it lasted.
Dermot
On Fri, May 10, 2013 at 1:02 PM, Adam Armstrong adama@memetic.org wrote:
On 2013-05-10 12:58, Dermot Williams wrote:
Hi,
Can any of the devs explain why Observium phones home (to update.observium.org [1]) when it runs discover.php? What data is
being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.org [2]?
Observium is collecting your passwords for analysis.
adam. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On Fri, May 10, 2013 at 5:50 AM, John Macleod jcdmacleod@me.com wrote:
I see the points on both sides here. Is what is being sent an issue, from what I see, no.
However, the fact it is has at least breached one of my contractual agreements, and even being an Observium user for a long time, I wasn't aware of this either and I have read much of what is online docs wise. I haven't read the contents of all files as I shouldn't need to. At least if I get a security team RFI I can reply with knowledge vs finding out the hard way - now that I wouldn't have been happy with.
I think your complaint is legit -- but I think if your contract terms cover this kind of thing strictly, you should probably set up firewalling on the server to prevent outgoing connections except to whitelisted hosts. That way you aren't depending on software playing nice.
I do this with many of our servers; a web or database server that accepts connections from the Internet shouldn't be connecting *outward*, except to a small set of update servers and the like. If something breaks it's pretty easy to determine from the firewall log what I need to whitelist.
David Brodbeck wrote:
On Fri, May 10, 2013 at 5:50 AM, John Macleod <jcdmacleod@me.com mailto:jcdmacleod@me.com> wrote:
I see the points on both sides here. Is what is being sent an issue, from what I see, no. However, the fact it is has at least breached one of my contractual agreements, and even being an Observium user for a long time, I wasn't aware of this either and I have read much of what is online docs wise. I haven't read the contents of all files as I shouldn't need to. At least if I get a security team RFI I can reply with knowledge vs finding out the hard way - now that I wouldn't have been happy with.I think your complaint is legit -- but I think if your contract terms cover this kind of thing strictly, you should probably set up firewalling on the server to prevent outgoing connections except to whitelisted hosts. That way you aren't depending on software playing nice.
I do this with many of our servers; a web or database server that accepts connections from the Internet shouldn't be connecting *outward*, except to a small set of update servers and the like. If something breaks it's pretty easy to determine from the firewall log what I need to whitelist.
The entire troll argument is dumb, plenty of commercial software (read: basically *all*) calls home, you just can't see it in the code.
The pointless crying from the user is easily responded to: read the code and you'll see nothing sensitive or of value is reported, worst case you can always comment it out.. it isn't hard. Of course if you do this then you need to manage your SVN updates and you will be laughed at if it doesn't work.
I suspect that I know the 'other user' that you're referring to; he didn't suggest anything, he asked the same question that I did and was called a 'cunt' for his efforts. At least I got off with a mere accusation of trolling.
Mark, I have neither the time, nor the inclination to pore over every line of every open source project that I evaluate and/or use.
Dermot
On Fri, May 10, 2013 at 1:25 PM, Dermot Williams dermot@deadlocked.orgwrote:
The fact that I could read the PHP in question to see what it's doing is beside the point. Setting aside Adam's recent (in the last hour) ninja-edit of the FAQ to cover this topic, adding a phone-home function to Observium that isn't/wasn't advertised and (assuming you've discovered that Observium phones home in the first place) can't easily be opted out of is disingenuous and worrying.
Adam's dismissal of my legitimate question as trolling is pretty fucking disingenuous as well, given the nature of what we're talking about. Equally, the suggestion that I'm only asking about this since Adam published the usage stats page 'earlier' is pretty facile. If that page had existed when I discovered this behaviour, I wouldn't asking the question.
Finally, this phone-home feature is relatively new as far as I can tell and I don't recall an email to the list announcing it.
Ah well, Observium - it was nice while it lasted.
Dermot
On Fri, May 10, 2013 at 1:02 PM, Adam Armstrong adama@memetic.org wrote:
On 2013-05-10 12:58, Dermot Williams wrote:
Hi,
Can any of the devs explain why Observium phones home (to update.observium.org [1]) when it runs discover.php? What data is
being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.org [2]?
Observium is collecting your passwords for analysis.
adam. ______________________________**_________________ observium mailing list observium@observium.org http://postman.memetic.org/**cgi-bin/mailman/listinfo/**observiumhttp://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Tsk. He unsubscribed, resubscribed to send this, then unsubscribed again.
Silly, transparent trolls.
adam.
On 2013-05-10 13:52, Dermot Williams wrote:
I suspect that I know the 'other user' that you're referring to; he didn't suggest anything, he asked the same question that I did and was called a 'cunt' for his efforts. At least I got off with a mere accusation of trolling.
Mark, I have neither the time, nor the inclination to pore over every line of every open source project that I evaluate and/or use.
Dermot
On Fri, May 10, 2013 at 1:25 PM, Dermot Williams dermot@deadlocked.org wrote:
The fact that I could read the PHP in question to see what it's doing is beside the point. Setting aside Adam's recent (in the last hour) ninja-edit of the FAQ to cover this topic, adding a phone-home function to Observium that isn't/wasn't advertised and (assuming you've discovered that Observium phones home in the first place) can't easily be opted out of is disingenuous and worrying.
Adam's dismissal of my legitimate question as trolling is pretty fucking disingenuous as well, given the nature of what we're talking about. Equally, the suggestion that I'm only asking about this since Adam published the usage stats page 'earlier' is pretty facile. If that page had existed when I discovered this behaviour, I wouldn't asking the question.
Finally, this phone-home feature is relatively new as far as I can tell and I don't recall an email to the list announcing it.
Ah well, Observium - it was nice while it lasted.
Dermot
On Fri, May 10, 2013 at 1:02 PM, Adam Armstrong adama@memetic.org wrote:
On 2013-05-10 12:58, Dermot Williams wrote:
Hi,
Can any of the devs explain why Observium phones home (to update.observium.org [1] [1]) when it runs discover.php? What data is
being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.org [2] [2]?
Observium is collecting your passwords for analysis.
adam. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium [3]
Links:
[1] http://update.observium.org [2] http://observium.org [3] http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
If you were able to spot this, you should be able to read the code in includes/versioncheck.inc.php where you'll see what is sent. Also see line 271 of ./includes/defaults.inc.php where you will see how to disable it.
- James ________________________________ From: observium [observium-bounces@observium.org] on behalf of Dermot Williams [dermot@deadlocked.org] Sent: 10 May 2013 12:58 To: Observium Network Observation System Subject: [Observium] Observium phones home?
Hi,
Can any of the devs explain why Observium phones home (to update.observium.orghttp://update.observium.org) when it runs discover.php? What data is being sent and why isn't this behaviour explicitly mentioned anywhere in the docs or on observium.orghttp://observium.org?
Thanks,
Dermot
On 2013-05-10 13:04, james.adams@stfc.ac.uk wrote:
If you were able to spot this, you should be able to read the code in includes/versioncheck.inc.php where you'll see what is sent. Also see line 271 of ./includes/defaults.inc.php where you will see how to disable it.
Not to mention the fact that he only knows about it because we recently started parsing the data and published this earlier today :
http://www.observium.org/wiki/Usage_Statistics
The first section of which explains why and what :)
I rather believe he's just trolling.
adam.
participants (6)
-
Adam Armstrong -
David Brodbeck -
Dermot Williams -
james.adams@stfc.ac.uk -
Joe Holden -
John Macleod