Advanced notice to the community regarding Clearly IP modules

In the spirit of transparency and out of the deep respect we hold for all FreePBX community members, we wanted you to know that Sangoma has reluctantly had to take steps in order to protect ourselves and the FreePBX community. Sangoma does not take this decision lightly, as we are extremely sensitive to avoiding disruption of service for FreePBX users – whether customers of Sangoma or not. Thus, we are providing the community advanced notice so it can take appropriate action as necessary.

Over the last few weeks Sangoma has repeatedly attempted to speak with Clearly IP and see if a mutually beneficial arrangement could be reached. Regrettably, Clearly IP has refused to do so. As a result, we were unfortunately left with no choice but to take this step to defend Sangoma’s intellectual property and to protect the community.

We believe that Clearly IP has:

• Signed their own Clearly IP Key with an unauthorized copy of Sangoma’s FreePBX “Master Signing Key”, without Sangoma’s permission and without signing a key signing agreement. Our Master Signing Key is a trade secret, and helps the FreePBX community know signed modules come from trusted sources. Their actions caused the Cleary IP modules to be seen by FreePBX as trusted or verified by Sangoma, when in fact Sangoma has not authorized such action.
• Signed modules from other third party companies with the Clearly IP master key, thus extending this trust to third parties – which is something not allowed under the FreePBX key signing agreement.
• Signed their own “commercial” module, Clearly Devices, with a Clearly IP master key, which was signed with an unauthorized copy of Sangoma’s FreePBX “Master Signing Key”, without Sangoma’s permission and without signing a key signing agreement.

Accordingly, Sangoma, through its external counsel, notified Clearly IP that we would revoke our signature on Clearly IP’s module signing key (as per the rules of the key signing agreement) unless Clearly IP implemented remediation procedures to adequately address our concerns and respect our intellectual property rights. Unfortunately, Clearly IP did not respond to this notice nor attempt any remediation procedures, so we will be revoking our signature on Clearly IP’s module signing key effective as of the morning of February 10, 2020 [Edit: This will now be no earlier than February 17, 2020]. This key signature revocation will cause FreePBX systems to disable all modules signed by the Clearly IP key, and the system will not allow administrators to re-enable the modules.

As we cannot inspect the source code, due to the code obfuscation of the Clearly IP modules, we can’t definitively know the full effect that disabling the Clearly IP modules may have. However, based on our experience, we anticipate that the following would occur:

• FreePBX will disable the module and the functionality for the affected modules will stop.
• The administrator will not be able to modify configuration information related to the affected module.
• Any custom branding offered by the affected modules would revert to default FreePBX branding.
• However, standard operation of the FreePBX core, and all approved modules authorized by Sangoma will continue to function normally. That is, standard voice service from phones to trunks, and normal call processing, should continue to operate. The administrator should still be able to modify the PBX in all ways not related to the disabled modules.

As stated above, Sangoma does not take this decision lightly, as we are extremely sensitive to avoiding disruption of service for FreePBX users – whether direct customers of Sangoma or not. We hope that Clearly IP will reach out to us and restart the conversation with the goal of reaching a mutually beneficial arrangement in order to adequately address our concerns and respect our intellectual property rights. We are also cognizant that some in the FreePBX community might not have fully appreciated why we were forced to take this step, so we wanted to be transparent about our actions and the reasoning behind them.

Let us be clear – this is not an attempt to exclude participation in the community by anyone, INCLUDING Clearly IP. We simply wish to make sure that everyone operates by the same established rules, and that we protect the community and our users. We are deeply committed to open source communications, and as good stewards of the FreePBX project (and Asterisk as well!), we hope you will understand our perspective.

[Edited to update the revocation date, based on discussion in the thread below.]

Sure would like to see Clearly IP explain how this happened, though I suspect we will get nothing more since the lawyers are now involved.

I am fairly certain you are exactly right.

Which part? The part where they actively violated policies that they helped create or at least enforced for years themselves. Or where they ignored the notices and did nothing to remedy the situation.

Yes.

I would like to give the benefit of the doubt…

Here’s the a gdoc as authoritative source, just in case something is edited here.: Sangoma Libel - Google Docs

OK, so here I am responding as me - xrobau, Rob, the guy who CREATED FreePBX, and also the guy that created all of the GPG stuff, not as a representative of Clearly IP. Here’s the quick summary - I’m totally blindsided by this post, and it seems that there’s a lot of wild accusations being thrown around, lawyers are getting involved, and a bunch of crap is happening, all because Sangoma is pissed at me.

Because everything that I’ve done is legal and above board, they’re trying to get revenge at me by threatening legal action and attacking Clearly IP (who I work for now) and, I guess, are trying to put Clearly out of business - maybe it’s affecting Sangoma’s own business and revenue? But that’s just me guessing, of course, because I have no idea why a massive company like Sangoma is rattling it’s sabers and making all this noise, trying to beat up on a tiny company like Clearly, along with the guy that created FreePBX, when they don’t have a leg to stand on.

Let’s start with some background. When I left Sangoma, I didn’t make a big deal about WHY I was leaving, but if you read between the lines of my I’m leaving post, a lot of people guessed that I was pissed - and I was. I had been lied to, tricked, sent to the other side of the planet to avoid an important meeting, and I was done. So I gave my 2 weeks notice, confirmed with them that I didn’t have an NDA or non-compete, and left with my head held high and feeling good about things, with only a slightly passive-aggressive leaving note, and not slagging out Sangoma, even though I was FURIOUS with them at the time.

Unfortunately for Sangoma, I was the start of the exodus. As everyone has noticed, almost all of the old FreePBX team also left over the next 6 months. However, Sangoma had learned from losing me, and the remaining people were forced to have NDAs, Clauses that insist on Non-Forking of any open source Sangoma products and unenforceable Non-Competes. But I didn’t, and I would never sign anything that would limit me, because FreePBX is my baby, and always has been. I created it! I would never agree to anything that limited my ability to use, develop, or hack on it.

So that’s where we are now. I’m the guy that created FreePBX. Under the terms of the GPL and AGPL, I can do anything with it and Sangoma can’t stop me. I also still own the copyright on a bunch of things, INCLUDING THE ENTIRETY OF THE GPG SUBSYSTEM AND THE “FreePBX Master Signing Key”.

Here is the link from 2014 that clearly shows I have personal copyright along with Schmooze Com Inc.

image1012×425 27.4 KB

Here is the original FreePBX Master Public Key that anyone can import - FreePBX Key generated by xrobau - Pastebin.com

Using that key, ANYONE can import and validate that key by running the commands in Rob Thomas is creator and owner of FreePBX Key - Pastebin.com That ends up giving you this result:

root@plex:~# gpg --list-sigs 9F9169F4B33B4659
pub   rsa4096 2014-04-30 [SC]
      2016349F5BC6F49340FCCAF99F9169F4B33B4659
uid           [ unknown] FreePBX Module Signing (This is the master key to sign FreePBX Modules) <[email protected]>
sig          51F5B68D25155DCB 2014-05-01  Rob Thomas (Personal Email) <[email protected]>
sig 3        9F9169F4B33B4659 2014-04-30  FreePBX Module Signing (This is the master key to sign FreePBX Modules) <[email protected]>
sig 3        9F9169F4B33B4659 2016-05-04  FreePBX Module Signing (This is the master key to sign FreePBX Modules) <[email protected]>
sig 3        9F9169F4B33B4659 2017-06-07  FreePBX Module Signing (This is the master key to sign FreePBX Modules) <[email protected]>
sig          DB16FED947DF73B1 2018-09-12  [User ID not found]
sub   rsa4096 2014-04-30 [E]
sig          9F9169F4B33B4659 2017-06-07  FreePBX Module Signing (This is the master key to sign FreePBX Modules) <[email protected]>

To explain this simply, this says that the key was generated on 2014-04-30, and signed by me on 2014-05-01. That key was then used in the GPG module on 2014-05-09.

My copyright and ownership on that key was never assigned to Sangoma. They have been allowed to use it, because it was ALSO Copyright to Schmooze, and Sangoma bought Schmooze, but my copyright and ownership of it was never sold or transferred. Sangoma and myself are the only two entities that have copyright on that key, and are the only entities that are allowed to grant permission to other entities to use it.
Now let’s go through a timeline of what’s been happening.

• September 2018 - I make it public that I’m leaving.
• May 2019 - I join Clearly IP, and out of habit generate a GPG key for Clearly IP shortly after that.
• September 2019 - I sign the Clearly IP key with the FreePBX Master key (that I own)
• January 22nd 2020 - Sangoma edits the ‘Key Revocation’ section of the FreePBX Wiki, to add the ability to revoke keys if someone else is making money from a FreePBX module (slightly paraphrased)
• February 3rd 2020 - Sangoma’s Law Firm sends Clearly IP an email saying that we shouldn’t have the master key and that we stole it. Clearly engages with outside legal counsel to work up a response and get all the facts in our response.
• February 6th 2020 - Clearly IP receives a certified letter by US Mail and another copy by Fed Ex both mailed on the 3rd from them.
• February 7th 2020 3:30pm - Clearly IP responds to Sangoma’s letter by email
• February 7th 2020 6:00pm - Sangoma ignores our reply, and posts this with more threats to shut down our business, whilst making bogus claims.

And that’s where we are now. Sangoma is waving lawyers around, trying to get Clearly IP to pay up for some sort of extortion, which - as far as I know - they haven’t even told us what they want, and it looks like they’re doing this because they’re pissed at ME. Unfortunately for Clearly IP, because they don’t have a leg to stand on they are going to break Clearly IP and Sangoma systems as some sort of crazy vengeance.
Now, let’s just go through a few points in that announcement.

1. “Our Master Signing Key is a trade secret”
   No. A trade secret is only a secret if it’s secret. Sangoma knows I have the key, and also explicitly knows OTHER people outside of Sangoma have the key. This is not a trade secret, nor are they the exclusive owner of this key. (“Trade Secret” has a specific legal definition)
2. [It] “helps the FreePBX community know signed modules come from trusted sources”
   No. It does not. It’s never done that. It’s documented everywhere that signed modules are purely for integrity validation. If you look at the title of the page that Sangoma edited, it’s called “Module Signing (Integrity Validation)”. It’s also stated in NUMEROUS places that it’s only for integrity checking:

• Log In - Documentation
• Module Signing Questions - #2 by xrobau
• Module Signing (Integrity validation) - FreePBX OpenSource Project - Documentation
  Every single page and post on module signing insists that it’s about INTEGRITY CHECKING, and explicitly says in numerous places that having a signed key does not mean any extra trust or reputation should be assigned to that signed key.

3. “Their actions caused the Cleary(sic) IP modules to be seen by FreePBX as trusted or verified by Sangoma”
   How could someone think that? If they had read any wiki page or community post about module signing, they’d know it was purely about integrity validation, and not about certification or trust. But if they hadn’t read any posts about it, they wouldn’t even know that signatures existed, not to mention know how to find out who signed what key.
4. “Signed modules from other third party companies with the Clearly IP master key, thus extending this trust to third parties – which is something not allowed under the FreePBX key signing agreement.”
   That didn’t happen, as far as I know. I may be wrong, of course! But, the Sangoma Key signing agreement isn’t relevant ANYWAY, as I was the one that signed the Clearly IP key.
5. (CIP signed their own module) … “which was signed with an unauthorized copy of Sangoma’s FreePBX “Master Signing Key”, without Sangoma’s permission and without signing a key signing agreement”
   We’ve just been through this. Sangoma knows I’m a copyright owner of the key. Sangoma knows that I have the key. Sangoma knows that other people have the key. This was in the email they received earlier today. So it’s not unauthorized as I am a Copyright Holder of the key.
   The only relevant bit here is “without Sangoma’s permission”, and that’s actually correct! But who in their right mind would think that I need to ask Sangoma’s permission to use my own key to sign my OTHER key, purely to attest that I verify that I am me? Not even a crooked lawyer could try to convince people that.

And all of that gets to this one important fragment at the bottom of the post: “We hope that Clearly IP will reach out to us and restart the conversation with the goal of reaching a mutually beneficial arrangement” - it’s all about the money, isn’t it? Disregarding that fact that they’re springing this on us without any warning at all (well, ok, 48 hours), and then ignoring our responses, to try to pressure Clearly IP into giving into something that they haven’t even told us about.

I wrote FreePBX and gave it away. I wrote the GPG subsystem, gave it away too, and made a big deal about it not being about money. I foresaw this coming, and insisted that every document and every publication about signing a key is purely about integrity validation, and is never about certification or validation. But yet, that’s what Sangoma is trying to say, that the integrity validation is some sort of blessing-from-on-high, despite everything that their own documentation says, and everything that I wrote as part of creating it.

So now you know. This is one of the reasons I left Sangoma. They lie whenever they want, and change the rules to suit them. But this time I’m not going to sit here and take it. When I was doing some research into this post, I discovered that my copyright on the GPG code was unlawfully removed. If Sangoma wants to get lawyers involved, then it’s super easy to prove that my Copyright was removed without permission, which is actually theft and violation of my Intellectual Property!

Your move, Sangoma.

Edit 2: Fixed who’s law firm sent an email to whom.

@xrobau
I understand your frustration…but did you get paid for coding … by Sangoma? If yes, the freePBX (Sangoma) code, you provided, is not your property.

@Sangoma
Deactivating modules on Monday morning is kind of rude…
Couldn‘t you just start with a warning in the freePBX dashboard with a countdown of , let‘s say, two weeks? So that customers of Clearly IP have enough time to un- and re-install (unsigned) modules…

No. That was written before Sangoma purchased Schmooze, and my Schmooze contract had several clauses ensuring that I retained ownership of any open source things I wrote/created. I didn’t want to get into it in that original rant, but Copyright and ownership of the code (and key) wasn’t in question, until today.

I also wrote that outside of hours, because there was a lot of push-back about it internally, so I explicitly did it all on my own time.

Well, I assume once Sangoma bought Schmooze, this old contract might not be valid anymore.
Lawyers will tell…
I just don‘t think that lawyers help to solve a problem…lawyers usually ARE the problem

My hot take (as if anyone cares, but because I already asked for details in this thread) is that you are within your rights based on all you have said, but it was still poor judgment as you should have expected this to cause a conflict with Sangoma. Thanks for the info; now we have to wait to see who “wins.”

“I just don‘t think that lawyers help to solve a problem…lawyers usually ARE the problem.” That is a true fact!
In any lawsuit there are winners and losers; but you know who will always win? Lawyers!
I am fearful of the future of FreePBX and these companies. This sucks for all of us and I pray you all can work it out before one or both go bankrupt in paying attorney’s fees and FreePBX lies dormant.

As a customer of Sangoma, and Schmooze before that, I completely bought into the PBXAct ecosystem. I am a regular re-seller of Phones, appliances, commercial modules
and ongoing support.

I am a customer of both Sangoma and Clearly IP. I intended to continue my relationship with both.

Regardless of the legal implications, I find it troubling that Sangoma would give essentially 2 days notice to customers that may be affected by this change. I find it even more troubling that it was done in a public internet forum that may not be frequented by affected customers, and that Monday morning, their systems may or may not have issues.

Again, regardless of the legal implications, I also find it troubling that this is even an issue for an “Open Source platform” such as FreePBX. Isn’t the spirit of open source that anyone can make improvements? This feels like bullying, plain and simple, and us re-sellers now have 2 days to scramble.

And finally, I have not given Sangoma permission to disable ANYTHING on my system, nor prevent me from installing a 3rd party module. I’m not an attorney, but hasn’t the legal system explicitly (Microsoft and Apple jump to mind) disallowed this type of practice?

This is crazy. I mean, this is exactly what Ward Mundy was pointing out years ago, and all of us were telling him it would never happen. The module signing was supposed to be about securing FreePBX against attackers – not securing revenue. We told Ward that back then, and he didn’t believe us, and we called him a troll. I’m sad to see that his concerns have, at least in part, come to fruition. I can’t say I’m entirely surprised, given my more recent experiences while working for both Digium and Sangoma, but I am very disappointed to see such a great open source project as FreePBX used this way. I believed in Digium and Asterisk because of the way it was created and provided a success as a way for open source to be funded from the hardware, and joined the company happily back in '13 because I wanted to be a part of that. Now I fear for the future of both, and I’m very interested to see how this disagreement is settled. Legal wrangling to try to hold onto profits doesn’t work. Sangoma needed to retain the open source believers - the talent that created the IP - and failed to do so. I see this action doing more harm to them than good in the long run.

Well…the problem seems to be that a 3rd party made it look like as if their module is officially part of freePBX, by using the freePBX key…without asking…with the intention to better sell their products…

Ward’s issues with all of this were things implemented by the Schmooze team that seems to have mostly went on to form Clearly IP.

Prior to this, Sangoma has been pretty stand off about everything FreePBX related. Too much stnad off IMO.

Of course behind the scenes issues that made those people want to leave is also possible. None of us can know that unless it is made public.

I just have to say that this is very upsetting how Sangoma/Schmooze is handling this matter. I don’t exactly consider it advance notice when you tell someone on a Friday that when you come in on Monday your system may not work. That right there shows that they have no regard for their customers or installers.

Additionally, FreePBX was and is meant to be open source, to allow people to make customizations at their own will, to use third-party modules if they so choose. The fact the Sangoma/Schmooze is now disallowing the use of such modules is terrible and shows that it’s only about the money to them and that they do not care about the community of users.

Note: I put this back. Yes, I use words like trusted, etc. While that may have never been the intent to be a WoT it pretty much is.

You’re using too broad of strokes here. The claim in clear. Misuse of the Master Key to sign modules. This is something that has existed for years. Also the fact that all contributed modules must be AGPL and not generate commercial revenue as contributed modules could be merged into FreePBX as a whole.

Anyone can make and user a module for FreePBX. It will generate an unsigned warning from FreePBX warning you that the module isn’t verified by Sangoma/FreePBX. Signing a module with Sangoma means there is a verification processes and FreePBX will see this as a trusted module by it’s system.

How did people know they got compromised by the last XSS exploits because they didn’t install the fix? The module signing told them their modules had been modified and sure enough they found the system compromised.

So if people are using things to make their modules look like their are signed and verified by FreePBX/Sangoma and they are not, that could lead people to install malicious code by bad actors and think they are fine because FreePBX says the module passes.

No one is stopping anyone from contributing or making modules. But with a project like this you have to control and have some verification process so rando’s aren’t committing modules that can do harm to the users.

But has that always been in the key signing agreement, or was it modified since then to include that. What Ward says in Sangoma’s New FreePBX Gotchas With Module Signatures – Nerd Vittles makes be believe that it was modified more recently, in order to make a clear case for revoking Clearly IP’s key.

(editing my question after re-reading posts)So if I’m reading all this right, Sangoma’s claiming it’s their key and @xrobau says it’s also his key. I don’t see how that can work if the 2 parties aren’t working together. How can Sangoma guarantee the integrity of the modules signed by the key if the other owner is signing modules with it they can’t test/verify (and vice versa)?