FCC Rules Open Source Code Is Less Secure

An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"

Never, ever forget that the FCC...

[Anonymous Coward]

... since its very inception back in 1934 (and its predecessor the "Federal Radio Commission from 1927 until 1934) has always been under the corrupted financial influence of the big broadcasters, despite the faux-adversarial image they try to paint on their relationships.

How can you vet ignorance?

[gillbates]

How can you prove something is secure if you can't see the source code?

You can't.

The FCC's position is that it is better to hide one's head in the sand and hope the vendor implemented a secure solution than to actually *prove* the solution is secure.

The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate.

The problem is that, as any ham operator knows, access to any part of the spectrum is as simple as building your own homebrew equipment. Hackers, by their very nature, already know how to access the radio spectrum; it is the weak, or non-existent encryption which represents the real threat. Keeping your code closed allows security vulnerabilities to exist for much longer than they would if they could be scrutinized by the public at large.

Furthermore, any software defined radio, open source or not, can be made "open source" by simply replacing the binary in flash. Which means that any software defined radio, open source or not, can be hacked. Which might be a bigger issue worth more discussion.

The same FCC that is promoting BPL

[LM741N]

These are the same FCC bozos who are promoting Broadband Over Power Line or BPL, despite all the independent technical experts who confirm that the systems are just giant antennas radiating hash, noise, etc and interfering with Public Service Radio. Along those lines, the American Radio Relay League (ARRL) is suing the FCC over its certification methods for such systems. see www.arrl.org for the details

This isn't about security..

[russotto]

...at least not security as it's usually defined. It's about prevention of modification by the end user or a third party not authorized by the manufacturer.

While the rules require these "security" measures to prevent modification to software designed radios, as far as I can tell (based on several 802.11 devices I've messed with) the only actual "security" measures which have been taken have been to not publish the source. There's not really anything preventing modification of the firmware to operate outside the ISM band or at unpermitted power levels. So I'm not sure exactly what measures the FCC is really requiring, other than that manufacturers don't publish their datasheets.

Re:Amusing

[AgentRavyn]

To be fair, Enigma wasn't security through obscurity. It was a pretty strong mechanical encryption system that had serious user flaws. Every day, they had to brute force the day code using cribs that they had learned throughout the war.

The Allies were only able to figure it out after they got a hold of one of the devices, analyzed it, and then rigged up a whole bunch of primitive Turing machines (Alan Turing was pretty essential to this whole process, by the way). Then, as mentioned above, they brute forced the key.

The Naval Enigma machines were pretty much unbreakable in a reasonable time without cribs. They were the same as the standard Enigmas but had more rotors, thus a higher complexity.

Had the radio operators been a little more careful, it would've been a lot harder to break Enigma.

Re:Amusing

[Penguinisto]

Yea, the MPAA and Microsoft are really hurting with their billions in the bank...

...meanwhile, their products are well-known for being about as secure as a fresh pot roast tossed on the floor of a wolf pit.

Just because one can make a profit off of it doesn't make it any more secure.

And you really cant compare enigma to current technology.

I beg to differ - it was:

1. a hardware-encoded algorithm set, eventually broken by other algorithms (courtesy of a few hardy Polish expatriate mathematicians), and
2. actively decoded by one of the very first electronic computers in existence (see also "Colossus" and "Bletchley Park")

Cripes, man... if Enigma/Colossus wasn't relevant in concept, then what is!?

/P

Re:Wavelength restrictions

[everphilski]

Most SDR's I've seen (all in amateur radio world ...) are run off of crystals or chips generating a waveform. The base frequency is NOT generated by software... so it is a hardware issue as to frequency, not software.

Where software comes into play is processing the incoming signal, and generating an outgoing signal. And the software is damn good at that :)

Re:It's just another one of the Bush-buddy coat ta

[ThreeSpace]

I disagree with your statement that Martin is qualified for his job. Martin is not an engineer and it shows in his opinion towards BPL and other topics. Under the leadership of people like him, the FCC has concentrated more on being the morality police instead of concentrating on competently regulating the spectrum.

Re:Amusing

[wperry1]

All you are saying is that Security through Obscurity is more profitable not that it is more secure.

That is also why these guys have all the money in the world to throw at politicians and convince them that their way is better.

gov't can be great

[bussdriver]

Government is customer managed and you get what the majority deserves :-(

To the person with only a hammer, everything looks like a nail...
Not all government is bad and wasteful; it can and does out perform the private sector more times than Americans are sold to believe.

This may be hard to grasp, but its partially YOUR fault if you can't manage your government employees. (FYI, one of your management tools was the purpose of the 2nd amendment!)

As Ben Franklin essentially said, any government well administered is good government and all eventually fall (as a result of despotism; society is not a spectator regardless of what they may think.)

Re:Where's the NTFS writer then?

[Anonymous Coward]

You know, the obfuscation only "works" because none of these teams want to decompile the Microsoft binaries, instead trying to guess by looking at the output, for fear of hypothetic lawsuits. If these teams did decompile the Microsoft binaries, it would get done much faster.

Favorite Scary Kevin J. Martin Quote

[mrcparker]

"You can always turn the television off and, of course, block the channels you don't want.... But why should you have to?"

Kevin J. Martin
FCC Chairman

I miss the "old" FCC

[gone.fishing]

A few years ago the FCC was overhauled in an effort to speed the processes of approval and allocation. At that time the most common complaint was that it took years to obtain approval for new technology. The truth is, that the old FCC did seem to drag their feet and yes, it was rather difficult to get approval for new technology and to get a piece of the radio spectrum reallocated you may as well forget about it. People and industry did have a lot to complain about. When the FCC did make a decision, it was (almost) always the right one, it had been well researched and lobbiests and lawyers had little influence, even the politicians really had very little say.

When the system was overhauled, it was done with the best of intentions. They allowed industry access in ways that they never had before and the FCC had to start to rely on information presented by the very industry that they were intended to police! Today, we could almost describe the industry relationship with the FCC as symbiotic.

The FCC has as it's primary charge the responsibility of making the public airwaves work for the public. They protect these airwaves by allocating frequencies, by approving new uses, and by certifying equipment that may use or interfere with the public airwaves.

With technology changing so fast, and the airwaves being so crowded, and all sorts of new ideas (good and bad), the FCC has lots to do. Congress told them to work faster and be more responsive to industry. Industry does not want OSS, they view it as competition. They would rather develop copyrighted and even patented software to do this stuff so that they can earn a healthy return on investment. The FCC is simply echoing this as they have been instructed by congress to do (they see it as working with industry).

OSS is sort of socialist when you think about it from the closed source standpoint. It is a threat simply because it is free. You would think public airwaves would be a place where free software would be at home -- and it should be but it isn't. Becuase the FCC is no longer really allowed to make the best decisions for the public. They must now answer to the very people they are supposed to police. That is simply wrong; they should answer to the public and the requirements of international treaties.

Re:Amusing

[adrianmonk]

One of the biggest factors in cracking the Enigma code was the fact that the German high command insisted that the settings for every wheel had to change every day. This dramatically reduced the search space. [ ... ] I always remember this whenever I get a password rejected by a system because it must contain at least one uppercase letter and one number...

I agree. I had a chuckle recently when we had a security training course at work, and they went through a lot of explaining of what the rules are for creating a "good password". There was a whole lot of this "must have a number", and so on. But not only that, they gave you a sort of recipe for doing it, with suggestions like "turn letter 'E' into a '3' or letter 'O' into a '0'". These rules are great if you want to remove entropy, because that's what rules do. But why do you want to remove entropy from your "randomly"-chosen secret? (I suppose it's not such a bad thing, though, if in actuality you're substituting one so-so set of rules for a much worse set of rules, like "always pick your girlfriend's first name".)

On a side note, I sometimes test people's knowledge of what randomness means by saying "giving the same number many times in a row would be a valid behavior for a truly random random number generator" and seeing if they protest. If they do, I know that either they didn't listen to the question closely or they don't understand what a random number is: if it's disallowed for the current number to match the previous one, then it's not random, because you have a requirement that there be a negative correlation, whereas random means no correlation.