A Mini Fonality Furor

A column I wrote here caused a bit of a stir over the past few days.

Here’s a brief recap:

Andy Abramson opined that Fonality, a Southern California-based developer of PBXes built on top of the open-source Asterisk PBX, is “better poised” to move Asterisk into the large enterprise world than Digium, the Alabama-based company that developed and maintains Asterisk.

I wrote that it’s hard to disagree with that assessment because Fonality does “an exceptional job of marketing” and I don’t predict well. But I expressed concerns about security issues inherently related to Fonality’s approach, which puts much of the product’s front-end functionality on Fonality’s servers, requiring a Virtual Private Network (VPN) connection between the customer’s premises and Fonality in order to access much of that functionality.

There’s no question that Fonality’s approach makes Asterisk easier to install and use, but the trade-offs related to security — namely, that, in most office networks (specifically, those that do not put the PBX on a separate subnet) the solution requires a potentially risky VPN connection back to Fonality, and that Fonality has access to call detail records and chat logs that a business may want to keep secret.

In fairness, there are two things I should correct from my initial post:

First, I wrote that “all chats are logged by the central server. Any sensitive IM information within and outside the office through the local box is available to Fonality.” This is not technically correct. Chats are logged on the local premises computer. However, such logs are accessible, therefore available, to Fonality through the VPN.

Second, I regret writing that “. . . Digium doesn’t require an outside computer to be listening in . . . ” Though not written with that intent, I can see how this can be construed as implying that Fonality has access to actual phone conversations, which it does not.

These two slight corrections notwithstanding, I stand by the conclusion that “Fonality may very well be a good solution for some businesses. But those concerned about keeping company secrets are probably better served by Digium’s offering.”

The issues raised in the mini-uproar that followed my column, can be summarized as follows:

1. The Voxilla Store carries “a number of PBXs, none of which are from Fonality.” (Fonality CEO Chris Lyman on VoIPSupply’s Garrett Smith’s blog, also reprinted in entirety in the comments section of my original post.).

2. A Fonality customer can disconnect and reconnect the VPN at will (Lyman on Smith’s blog).

3. “[E]very phone company in the world” keeps call detail records (CDRs) (Lyman on Smith’s blog).

4. Fonality needs the call detail records because the company’s “high-end reporting functionality,” if run on underpowered customer premises computers, “would spike those CPUs into a coma, effecting audio quality. Remember, these premise boxes are designed to pass great audio, not crunch thousands of call records in under a second.” (Lyman on Smith’s blog);

5. The differences between Fonality’s products and a stock Asterisk installation is that Fonality is a partially hosted solution. “All hosted services have to deal with the issues raised by Marcelo . . . ” but “[m]ost premises based services don’t have all the benefits hosted models offer, and may be less cost effective, but deliver greater control of customer data.” (Alec Saunders). Along similar lines, Dameon Welch-Abernathy wrote that “as an IT person, it is your job to do your ‘due diligence’ to find out exactly how any software you deploy might ‘phone home’ or do anything you don’t like.”

There were a few others, but ultimately void of original material: I sell Fonality and disagree with “with most of what Marcelo had to say” because I agree with Lyman. (VoIPSupply’s Garret Smith). And Marcelo’s portrayal is “inaccurate . . . [but] I’m going to stay out of that battle” and point you to Chris Lyman’s point-by-point rebuttal to Marcelo’s assertions.” (Tom Keating, in a fawning review of Fonality’s most recent offering, PBXtra Professional Edition).

As they don’t add much to the discourse, I’ll pass on Smith and Keating. I will take a stab at the others.

1. The Voxilla Store carries an internet communications server (email, IM, contacts, calendar and PBX) developed by Communigate Systems. The Voxilla Store also carries the Linksys SPA9000, a PBX-key system hybrid limited to a maximum of 16 extensions that does not include voice mail capability. Neither of these products is based on Asterisk, and the Voxilla Store does not carry a single item from Digium. The point of my column was that Digium may present a more secure option to business than Fonality. Pointing out that we carry other PBXes on the Voxilla Store is a thinly veiled accusation of self-interested bias, even though Voxilla has nothing to gain when I compare two products we do not carry .

2. Of course, as Lyman writes, a Fonality customer can shut down the VPN, enabling it only when a PBX configuration change is needed. Such steps add a layer of complexity and essentially cripple much of Fonality’s usefulness. And they do not eliminate the security issues raised. A VPN connection is still required to make configuration changes, which then opens up the on-premises computer (call logs, chat logs, etc.) and the network within which it resides. And whenever the VPN connects the local network to Fonality’s, the local network is only as secure as Fonality’s. For some businesses, this may not be an issue, but I suspect that, for many, it’s an important consideration.

3. Yes, phone companies keep call detail records, but Fonality is a PBX company, not a phone company. When I make a cell phone call over the Cingular network, I am aware that Cingular is keeping a record of that call. But phone companies like Cingular (and AT&T, Verizon, etc.) are regulated, both at the federal and state levels. A PBX company is not regulated. The only protection a Fonality customer has is the company’s rather weak Privacy Policy. It states: “records may be viewed if required so by law, or if there is a suspected Terms of Use violation.” Only Fonality, not its customers, determine if there is a “suspected Terms of Use violation.”

4. The argument that Fonality needs to keep CDRs on its servers because on-premise computers are potentially too underpowered to parse them is just false. A record for a single call on an Asterisk PBX is about 200 bytes in length. In its press releases, Fonality claims the company currently services 1,300 customers with a total of 18,000 users. That’s an average of about 14 users per installation. Let’s exaggerate and say that, on average, each of those users makes and takes 1,000 calls (or about 40 a day). For any given month, then, the total size of the call detail logs for an average Fonality customer is about 7 megabytes, which any computer manufactured in the past 5 years can search and output results from in milliseconds.

5. In essence, Saunders and Welch-Abernathy are suggesting the same thing I originally wrote, though Saunders considers himself “an unabashed fan of hosted models.” As I wrote, and Saunders reiterated, the hosted approach has some advantages, including “ease of use.” But it does come with trade-offs.

I pointed out those trade-offs, Fonality CEO Chris Lyman chose to respond by asserting that what I wrote is “inaccurate” (and, on one count — in relation to where chat logs are stored — he is technically correct, though the security concern I raised still exists).

In the end, Lyman’s argument can be boiled down to this: What we do is no different than what the phone company does and “Fonality’s employees pride themselves on their ethics and it is an important part of our corporate culture.”

I have no reason to question Fonality’s ethics and nothing I wrote was meant to besmirch either Lyman or his employees. But Fonality’s offering is, in its very essence, a hosted PBX. In as much, it comes with certain risks that a business deciding between Fonality’s version of Asterisk and Digium’s version of Asterisk should be aware of.

Be Sociable, Share!
  • lostmelvin

    We have been using Fonality for like 3 years now. It was rough at first but pretty good now. I disagree that Fonality = “hosted PBX”. Look at 8×8. That’s hosted. As I see it if your calls are happening onsite then you aren’t hosted. I guess some of their interface is hosted but big deal. I think you should trust your PBX company at least as much as your phone company. I see your point about the call records and if I really cared I guess I could easily symlink my /var/log/asterisk directory to /dev/null or change the output directory and Fonality would never load my CDRs into their db at all. Hehe, yes I do know Asterisk, but I didn’t feel like fiddling all day so I went with Fonality to save time.

  • chris-lyman

    Marcelo,

    All right. Out of fairness in your attempts to appear to your audience as an objective journalist, I have tried to spare you. But, enough is enough. It is time that I let your readers know your true motivations for disparaging Fonality.

    In order to peel back the onion, I need to expand upon the brief, yet poignant, history between our firms — your IP hardware/services company, Voxilla, company and my IP-PBX company, Fonality.

    As stated in my open letter (http://www.smithonvoip.com/2006/11/04/chris-lyman-an-open-letter-to-marcelo-rodriguez/) you and I have only ever spoken once. It was in April of 2005 and you called me up in an attempt to feign apology for failing to mention Fonality in an Asterisk round-up article that you commissioned here: .

    Side-note: Thanks to Fonality’s excellent centralized reporting engine, I was just able to produce a report for this call with a click of the mouse. It was on April 25, 2005 at 2:10pm and lasted over an hour. See here for a screenshot of this call: http://www.fonality.com/images/Marcelo_tries_to_sell_Fonality_his_services.gif

    Back to the call you placed. So, you called me up and introduced yourself. And, immediately you began apologizing for not mentioned Fonality in this Asterisk round-up. Honestly, I hadn’t even read the article until you called me, and really didn’t think it was a big deal once you told me. But, you did. And, you kept lamenting on how you couldn’t believe that Carolyn (the author) had forgotten to mention Fonality, and how you were going to make it up to me, etc, etc. In your state of continued prostration, you even promised Fonality an exclusive article to be featured on your site. I remember this because I was so excited I called up our PR firm right after and told them all about it. Yes, Fonality was pretty young back then, so somebody promising to do an exclusive was pretty exciting.

    Here’s where our call took a strange turn. Right after promising Fonality this “exclusive”, you then promptly switched gears and began to try to sell me on having Fonality use Voxilla’s At Your Service (Voxilla | At Your Service) phone provisioning system. Apparently, you were asking that we (Fonality) begin to pay you (Voxilla) a fee to provision the IP phones that we sell alongside our PBXtra IP-PBX. I was surprised with your overt sales tactics, given that you began the call under the auspices of a journalist. It seemed like mixing a bit too much church and state for my taste.

    But, I made no mention of it and proceeded to listen to your sales pitch about the benefits of your easy provisioning system. Let me remind you how the conversation went from that point (and I paraphrase):

    Me: “Thanks for the offer Marcelo, but we already have a provisioning system that we built in-house. It provisions Ciscos, Snoms, SwissVoices, and Polycoms automatically without us having to touch a single button on the phone. We have had it for over a year.”

    You: “You can auto-provision a Polycom phone without touching a key? I don’t believe it.”

    Me: “I think so, hang on, let me ask my CTO.”

    I put down the phone and ask my CTO – yep, he verifies it.

    I come back to the call and confirm for you what my CTO has told me. Understandably, you immediately stop pursuing selling me on your own engine. Then, clearly not happy, you end the phone call. I have never heard from you again until this thread.

    And, after our one-and-only call, you never did end up writing about Fonality in your promised exclusive. Oddly, you even had Carolyn Shuk call me up as promised and engage me in a 33-minute “exclusive”. In fact, you had Carolyn talk to me a total of three times between May and December 19, 2005. All three times, nothing ended up in print on your site.

    Come to think of it, Marcelo, how is it that you claim to have a leading IP telephony news site and you have never once blogged on Fonality in our 3-year history…even though Fonality is clearly a market leader in this open source revolution? As a “journalist” clearly you must know that Fonality has long been the world’s largest commercial Asterisk deployment with customers in 22 countries, 40 million calls made across our platform, 2000 resellers, thousands of customers, and not a peep. Odd isn’t it? Perhaps I should have bought your service after all.

    Now, Marcelo, I could take more of my time to reply to the host of new inaccuracies in your last post — particularly in and around your randomly-generated factoids re: call logging. But, if I geek out about the high CPU load that results from complex database joins across multiple tables and how these CPU spikes cause degradation of audio channels within Asterisk, I might lose the spirit of this letter.

    Finally, please spare the hyperbole. Despite your repeated attempts to paint this conversation as an earthshaking discourse, the only “furor” this has caused has been a fury of cross-blogging between you and a couple of other bloggers as you attempt to drive traffic to your store. The rest of the industry is much too informed to give credit to your labeling of a low-intensity VPN as a national security threat.

    Oops, an employee at my ISP just sniffed these packets! I gotta get out of here before they find me!


    Chris Lyman
    Fonality Chief Packet Sniffer

    P.S. You claim to have no vested interest in Fonality’s Asterisk or Digum’s Asterisk, yet you run an Asterisk news-group on Voxilla.com to which you sell third-party advertising on. You also directly advertise to this forum your own Voxilla IP phone provisioning service. And, remember, the more folks you are able to scare people away from Fonality’s pre-provisioned appliance + phones with your security scare tactics, the more revenue you may be able to pick up with your ala carte phone provisioning service. Sounds like a vested interest to me!

  • jamm80

    Bleh!!! This whole conversation is exactly what I hate about the blogosphere. Everyone pretends to be an expert so they can sell more of their own stuff. To make it even worse, they don’t even try to hide it anymore…selling it right on the same site they blog!

  • marcelo

    The call Chris Lyman refers to was a conference call in which Lyman did a demo of Fonality’s products for Vikram Gandhi, of the Voxilla staff, and myself.

    There was no discussion about Voxilla offering provisioning services to Fonality for two reasons: We weren’t offering these services in April of 2005 and those services are not applicable to what Fonality markets. Voxilla At-Your-Service was launched on September 22, 2005 (the press release went out on Sept. 15, and can be easily found on various sites via Google). The service is explicitly for IP voice service providers, and is not offered to PBX developers such as Fonality or “a-la-carte” to end users (as Lyman’s postscript asserts).

    During the phone conference product demo, Lyman told us that Fonality can do automatic full provisioning of Polycom phones. And, yes, that was of interest to us. Up until very recently (last month, I believe), Polycom’s firmware did not support setting the phone’s administrative password remotely. We were using Polycom phones internally and, though the phones were mostly provisioned over FTP, we were setting the admin passwords directly on the phone’s keypad. So we asked Lyman how Fonality overcame the limitation. Lyman checked with someone, came back and told us that indeed Fonality does set the password remotely, but never explained how.

    Lyman’s serious accusations do serve a purpose: to obfuscate the original point of the story. The column was written as a result of and explicitly pegged to a post about Fonality and Digium by an influential industry blogger. I pointed out that Fonality is easier to use but, to the security conscious, Digium’s offering is probably a better solution — and explained why.

    It’s as simple as that, and no other motivation was involved.

  • Chris_Lyman

    Marcelo,

    Yeah you didn’t call it “At your Service” back then. On the call you simply referred to it as your “phone provisioning service”. Same thing, different name. You still spent the second half of your phone-call selling. And my guess is if I had bought what you were selling, I wouldn’t be seeing blogs like this from you down the road.

    As for your original, and largely obtuse, point about Fonality vs. Digium, it is pretty clear you don’t understand Digium’s product offering. From Digium, for $995, you get their Asterisk CD and an instruction book. For that same price, Fonality sells you a full server, pre-loaded with our very stable Asterisk and our award-winning PBXtra application – yep for the same $995. And, if the occasional security nut doesn’t like our darn tunnel, they would still end up getting both Asterisk and a server for the same price as you get a CD and a help-book from Digium.

    Marcelo, look, in all fairness, you should really do your homework and try installing Asterisk Business Edition and then installing a PBXtra. Only then will you have garnered the journalistic integrity needed to produce a valid comparative review.

    My advice? Setup a lab and actually take the time to do a proper bake-off of Asterisk Business Edition vs. Fonality’s PBXtra. Heck, call it the: “What I got for $995” review.

    But, until you *do* take that time, your attempts at comparative blogging come off a bit light in the fact department.

    – chris

  • drann3y

    Comparing Fonality to Digium is apples to oranges. Digium’s Business Edition is really more for tech-savvy consultants, folks that aren’t afraid to crack Asterisk and start hacking files and provisioning phones. Fonality products are aimed at business owners who wouldn’t know a Linux penguin from a Teletubby.

    Dale Ranney
    COO
    Atlantic Development PArtners, LLC
    Saint Augustine Florida