FCC Rules Open Source Code Is Less Secure 365
An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"
SFLC has white paper on the subject (Score:5, Informative)
Wavelength restrictions (Score:5, Informative)
That's why today, most radio-enabled devices, and especially mobile phones, have to pass type conformance to be commercialized in a geographic area. In the current state of things, if the radio software can be changed by the user, the type conformance cannot be awarded. Software radio makes things worse, because it is harder to justify that a component cannot emit at a given frequency, if changing the software in this component would allow switching emission frequencies at will.
Re:Wow... Governmental doublespeak (Score:4, Informative)
Re:Wow... Governmental doublespeak (Score:3, Informative)
Re:Amusing (Score:4, Informative)
The enemy knows the system (Score:3, Informative)
Read the wikipedia article, it is enlightening and very insightful.
Re:The FEDS (Score:3, Informative)
I'm sure he appointed people to the FCC who are every bit as competent as:
Brown
Chertoff
Wolfowitz
Rumsfeld
Harriot Myers
Alberto Gonzales
Scotter Libby
...it's a very long list. Should I keep going or did I make my point?
It's just another one of the Bush-buddy coat tails (Score:4, Informative)
Kevin J. Martin is the current head of the FCC, appointed by Bush in 2005. Prior to that, he was general council for Bush's first election campaign, then he took over the 'technical transition' when Bush/Chenny were moving into the white house. After they got settled he picked up a nice position as a white house assistant. The guy is nothing more than yet another Neo-con chronie who shows his loyalty to big business and the party line over the interests of the people and gets promoted for it.
On the bright side though, he is at least somewhat qualified for the job. He has a real degree from a real school, he worked at the FCC prior to being appointed to Chairman, and has focused much of his career in the tech/telecomm industries.
-Rick
Go with the big guns... (Score:5, Informative)
...like Bruce Schneier:
from Crypto-Gram: September 15, 1999 [schneier.com]
But what could we expect from an FCC headed by a lawyer, a businessman, a professional Senate staffer, a DRM-supporter who received coaching from Clear Channel to oppose a satellite radio merger, [wikipedia.org] and a professional telecom corporate lobbyist.
Enigma was publicly documented to a degree ... (Score:3, Informative)
This example aside, your suggestion that "security through obscurity" is bad is wrong. See http://slashdot.org/comments.pl?sid=246437&cid=19
Re:How can you vet ignorance? (Score:3, Informative)
You're right that it will not be able to functionally replace the existing program, but if your plan is to replace the entire software in a device with your own software that tells it to plaster noise across a police band, for example, there's no longer any need to maintain functional compatibility with the upper levels of software in the device, and the lack of FCC certification for a device containing the open source software isn't of any real consequence.
The FCC's premise is fundamentally flawed. They see that the software can be changed in ways that would not pass certification and therefore won't certify the software. That's silly because the FCC doesn't certify the software to begin with. They certify the device which contains a particular version of the software. Thus, from their perspective, it doesn't make any difference whether that software is open source. If someone wants to muck with the software radio and make it do something malicious, the mere existence of the open source software is sufficient even if the open source software is not being used on the device as shipped.
The only reason the FCC could take issue with open source is that someone could then make changes to it and push it out of compliance and update their device with the software. However, someone could do the same thing by random poking in a closed source binary. The programming specs for the device are open, so snoop the values sent for power output, etc. as they are sent to the device, then scan the code for those values and change them. It's not significantly harder as long as the specs for the chipset are available, and don't get me started on how idiotic it would be to make those closed.... Further, the same could be done even with a hardware radio. Look at the schematics, figure out which resistor controls the gain, and thirty seconds later, you're transmitting at a higher wattage. One could actually argue that it is easier to modify such parameters in hardware devices because everything is very visually laid out in front of you. Heck, people have been sticking 30W linears on CB radios for years. There's no difference.
Re:Why is the FCC regulating security? (Score:5, Informative)
If one guy is in the street protesting it is easy to control and quell. If its 10,000 guys in the street protesting it gets a little harder, if its 10,000,000 guys its basically imposisble.
Re:Amusing (Score:5, Informative)
Uh...This is So Wrong...So Wrong... (Score:4, Informative)
Interesting that they apparently didn't consult folks at NSA. Their operating hypotheses for any US cryptosystem are:
1. The equipment is known and available for disassembly and testing
2. The algorithm is known or discernable from the equipment and related manuals
3. You have lots of output data from the device (the underlying plain text is properly)
4. You don't have the key...that's what you need
While I will grant that most folks never see any of this (most equipment, algorithm details, and key parts of repair/use manuals are classified), they assume the worst case and still make it secure. In other words, like having open source code and figuring out the key from that and clean output.
While "Security through Restricted Access" is a very good practice, the argument is STUPID at best, and downright biased towards closed, proprietary software vendors. Frankly, these people couldn't encrypt their way out of a wet paper bag with a pen, ruler, and other sharp things like their pointy little heads.
If they think it is "less secure" we can lock them up somewhere with whatever they want to crack an open source cryptosystem used as the jail lock and see how soon they get out. I hope they include a lifetime supply of food, water, toiletries, medicines, etc. I think a simple 1024 bit Elliptical Curve Cryptographic system will keep them safely behind bars for several decades, if not their lives.
Where do they find these bozos to fill these positions? I'd like to know so we can close that source of universal stupidity off and make the world a better place...
I guess these folks will never qualify for one of my D.O. letter...they're either just too stupid or have such low IQs that they need to be institutionalized immediately.
Re:Where's the NTFS writer then? (Score:5, Informative)
We are talking about REGULATORY security (Score:5, Informative)
The issue is that this ruling benefits Cisco that wants to defeat the likes of Linksys, Netgear and others that are beginning to deliver "decent" solutions with cheap radios and the help of hobbyists leveraging open source software. If you require that some of the SW is closed, you cannot leverage the benefits of the open source module on that bit you have closed. You also have to end up spending more time organizationally to support the effort, because you have to maintain two sets of documents -- one for the closed section, and another for the open section. You have to support binary compatibility, or some mechanism for the open source to integrate with the closed source firmware... it just becomes that much more of a burden for Cisco's competitors to develop and maintain their solutions.
So, please, don't flood the FCC with emails telling them that "Open source /is/ secure" -- from the standpoint of regulation, it's not! Flood them instead with messages that say, "This ruling is entirely prejudicial against many companies leveraging Open Source software for their solutions."
Nice edit (Score:4, Informative)
You learned exactly the wrong lesson from crypto (Score:2, Informative)
Re:Where's the NTFS writer then? (Score:2, Informative)
Re:Well, they're technically correct, of course... (Score:3, Informative)
But, overall, the idea of XORing a random key as long as the source text works. You need a random key and to keep it secret and *never* reuse it. This is important, any reuse and simple known plaintext methods can often crack it in seconds.
Essentially a stream cypher can be thought of as a one-time-pad where a psuedo-random number generator (PRNG) which you seed with your key generates the pad material to the same length as the file.