Slashdot Mirror
FCC Rules Open Source Code Is Less Secure
An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"
Just goes to show how much a bunch of gov't bureaucrats know. Or maybe there just being ass-kissy with business again.
Because Security Through Obscurity totally worked for:
MPAA (DeCSS)
Nazis (Enigma)
Xerox (Robin Hood & Friar Tuck)
Microsoft (just about any form of security they've ever had)
and about a billion other examples
Karma: Non-Heinous
Around the world, people who were in the middle of saying "What the IRS doesn't know, can't hurt me !" suddenly stopped & asked, "Did you feel that, there's a disturbance in the force".
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Shhh. It's a secret!
If I'm trying to break into some code, and I can read the source code to determine how the author protected it, I'll have an easier job (note: "easier", not "easy") because I can home in on the algorithm the author used. I know whether it's Blowfish, DES, AES, IDEA, or a simple XOR or substitution cipher. I know what pre-encrpytion steps were taken, and what post-encryption algorithms were used.
Let's say that in a moment of insanity, I decided to use a basic XOR encryption routine (create each byte in the encrypted stream by XOR-ing the corresponding source byte with every byte in the password save one, rotating that one as I iterate over the source). This is completely and utterly trivial to crack if you have the source code and *know* the routine I used. It's a repetitive cypher, so it's reasonably obvious unless the password is of significant (a sizeable fraction of the source's length) as well. Note the difference - it's easier with the source code.
Now that's a contrived example - no-one in their right minds would use an XOR cypher, but the same principle applies to harder encryption techniques. If you *know* what system was used to protect the source, you have an advantage over not knowing... Did they gzip the source before encrypting it ? Did they use ZIP, RAR, or 'compress' instead ? Did they XOR to hide the obvious compression header ? Is it inverted (last byte first) or was any other transformation done *before* the encryption stage to try and make it non-obvious that a successful crack had taken place ? These are all "knowns" if you have the source code...
So, yes, it is easier when you have the source code. Security through obscurity is rightly derided, but not because it has no value. It is derided because it leads to the use of insecure encryption methods (small keys, using XOR/whatever instead of proper hard encyption, etc) and the fact that once the obscurity is cleared up, there's no more security. The idea is that if you are sufficiently confident that your encryption is unbreakable, you *can* document how you did it in public. That doesn't mean you *should*.
The point though, and why I disagree with the regulators, is that if you're using hard encryption, it really doesn't matter whether it's *easier*, it's not *easy*. It is in fact still so damn hard, that we're talking "impossible in our lifetime(*)" - the relative comparison makes no sense. It's akin to measuring the height of Mount Everest at 6-month intervals - it's always pretty darn high, though you might find some variance due to snowfall.
So, yes, they're right. But by not considering the (tiny) impact of their conclusion, they have made the wrong ruling.
(*) Modulo the discovery of an easy way to crack the encryption technology, of course.
Simon.
Physicists get Hadrons!
Wow, it sure didn't take long for someone to blame Bush for this.
And we keep voting the same crew into office who keep appointing the same bozos to the FCC... shame on us.
OCO is Loco
Sure there is, and its called payoffs.
---- Booth was a patriot ----
By the "security through obscurity" definition tools like PGP would be insecure.
Yeah right....
So Microsoft http://publicintegrity.org/lobby/profile.aspx?act= clients&year=2003&cl=L002186 and Apple http://publicintegrity.org/lobby/profile.aspx?act= clients&year=2003&cl=L000538 have some of the bigger IT lobbying efforts around, and FCC bureaucrats don't know the difference between their ass and 2 holes in the ground.
What is the news ?
... since its very inception back in 1934 (and its predecessor the "Federal Radio Commission from 1927 until 1934) has always been under the corrupted financial influence of the big broadcasters, despite the faux-adversarial image they try to paint on their relationships.
Over at the Software Freedom Law Center, we've published a white paper regarding the new rules. That might be of interest to some.
I'm sure they were presented with Kerckhoff's Principle, but since it didn't involve steroids, internet taxation, or huge tracts of land they skimmed right over it.
<Complete your profile by adding a signature!>
we need to safeguard our infrastructure and start licensing the programming profession, too many kids in their moms basements can contribute buggy code to major open source projects, and given that linux is based on code by foreigners like "dvd jon," theres no telling what backdoors Al Qaada has running in our country's networks.
How can you prove something is secure if you can't see the source code?
You can't.
The FCC's position is that it is better to hide one's head in the sand and hope the vendor implemented a secure solution than to actually *prove* the solution is secure.
The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate.
The problem is that, as any ham operator knows, access to any part of the spectrum is as simple as building your own homebrew equipment. Hackers, by their very nature, already know how to access the radio spectrum; it is the weak, or non-existent encryption which represents the real threat. Keeping your code closed allows security vulnerabilities to exist for much longer than they would if they could be scrutinized by the public at large.
Furthermore, any software defined radio, open source or not, can be made "open source" by simply replacing the binary in flash. Which means that any software defined radio, open source or not, can be hacked. Which might be a bigger issue worth more discussion.
The society for a thought-free internet welcomes you.
You mentioned Nazis! Godwin's wrath upon you!
Of course this is nothing new. Technical decisions are being made by non-technicians for non-technical reasons. Technology is complicated, so not everyone can be a technician, but it is important, so everyone will ultimately need to make technical decisions.
Technically meritless technical decisions, with potentially harmful consequences, and that are legally binding, will always have expression in the new world.
And sneak in a backdoor to the code I sell the government. Since it's "more secure" closed source which they can't see, they'll never know about it as I data mine their systems.
It's this same logic that limits us to 3oz liquids on a plane, because you know multiple terrorists would never get together to combine their 3ozs into 6ozs, 9ozs or even... 12ozs!
from TFR:
A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.
By this they probably mean, if the radio is open source then any DRM is useless, and this is insufficiently respectful of the benighted Copyright Holders of whatever is being played, thus it is "less secure."
I am somewhat perplexed as to why the FCC would need to be regulating the security of consumer devices. For organization that need secure communications, there are already many government and private certifications, that insure this. But why on earth would they restrict consumers from purchasing non-secure software radios if they don't need them?
Is this because they feel that software radios could be hacked to broadcast outside of their certified frequency and power limits? Or because they think they need to protect the public from buying 802.11 routers with crappy WAP implementations?
These are the same FCC bozos who are promoting Broadband Over Power Line or BPL, despite all the independent technical experts who confirm that the systems are just giant antennas radiating hash, noise, etc and interfering with Public Service Radio. Along those lines, the American Radio Relay League (ARRL) is suing the FCC over its certification methods for such systems. see www.arrl.org for the details
After reading the article, it looks like the FCC is concerned that FLOSS software would enable the Software Radio to be changed in a way that violates FCC rules. Things that cause interference for example. I think the Makers will need to use something like TiVo does to prevent changes and this means GPL3 will not work well. Tim S
In my experience these statements are true...
- secure: sometimes; more likely with more popular projects, less likely with smaller projects
- cheaper: sometimes; adding in cost of people to noodle with code or interfaces can raise costs quickly (however cost may be minimal if we're talking about cloning a few thousand embedded cuts, etc.)
- interoperable: definitely, because if the code doesn't work, you can change it
- easier to standardize: sometimes, tends to depend on the project leader's goals (although forks can solve this)
- easier to certify: definitely not, because the code frequently shifts (e.g., OpenSSL's experiences with FIPS validation)
The security bit is just a cover story. This is about some perceived danger to the RIAA, MPIAA and similar cartels.
"If I'm trying to break into some code, and I can read the source code to determine how the author protected it, I'll have an easier job (note: "easier", not "easy") because I can home in on the algorithm the author used." You fail to mention that you will have a harder time finding a bug because the code has been so well reviewed by an entire community. That fact should not be ignored.
... for black hats :(
Looks like someone needs to drop the FCC a note to inform them that an Open Source operating system has somehow managed to achieve LSPP/EAL4+ Common Criteria security certification.
An unjust law is no law at all. - St. Augustine
The problem the FCC (and every other emission regulation body) has with open source and software radio is that it will be trivial to modify a device using these methods to emit at an arbitrarily high power level over a restricted wavelength, or using a band without using the proper medium access control. If this happened, the wavelength would be pretty much unusable for all other users until the FCC tracks down the emitter, and shuts him down.
That's why today, most radio-enabled devices, and especially mobile phones, have to pass type conformance to be commercialized in a geographic area. In the current state of things, if the radio software can be changed by the user, the type conformance cannot be awarded. Software radio makes things worse, because it is harder to justify that a component cannot emit at a given frequency, if changing the software in this component would allow switching emission frequencies at will.
The FCC has absolutely no power to regulate nor any say at all in how software radio or television are implemented.
n s/200505/04-1037b.pdf
The FCC commisioners are deluding themselves, again, if they think Congress gave them the power to appoint monopolies.
They have already been slapped down once with regards to the DTV Redistribution Control flag and they're about to be slapped down again.
What's next, washing machines and clock radios?
http://pacer.cadc.uscourts.gov/docs/common/opinio
If the Foolish Child Commission can't remember the limits of their power, We the People will be more than happy to remind them, spank them and send them to their 'time-out' corner once again.
Well, if they [FCC] are going to take this stance, it is our duty to enlighten them as to the consequences of their actions.
I would like to see a Month of Closed-Source Software Raido Hacks
Then they [FCC] will discover that since the closed source software radios are not examined by independent unbiased debuggers, the possibility of bugs, bad encryption schemes, et al is a very high possibility.
Maybe then the government bureaucrats will see the merits of Open Source.
My backup chemistry thesis stored on Data Storing Bacteria mutated; granting me a degree in forensic anthropology. v4sw7
...at least not security as it's usually defined. It's about prevention of modification by the end user or a third party not authorized by the manufacturer.
While the rules require these "security" measures to prevent modification to software designed radios, as far as I can tell (based on several 802.11 devices I've messed with) the only actual "security" measures which have been taken have been to not publish the source. There's not really anything preventing modification of the firmware to operate outside the ISM band or at unpermitted power levels. So I'm not sure exactly what measures the FCC is really requiring, other than that manufacturers don't publish their datasheets.
FTA | ...the FCC decreed that open-source security software, too, cannot be made public if doing so would raise the risk that the FCC's rules could be sidestepped. ...|
Well here your problem...
Our government has become an extension of the profit motive. Everything for someone's profit. Period.
If the end-user can modify the source with reasonable ease:
They can easily bypass any "broadcast flag";
They can remove restrictions on which channels a scanner can scan;
They may be able to transmit on forbidden channels or at
power levels that are above those permitted for a channel.
That is the sort of hacking that frightens the FCC
Andy
Sir, you will no doubt be shocked to learn that this neither comes with a silver platter, or chilled champagne. I know when this realization dawned on me, my monocle popped out and rolled under my desk. My gentleman's gentleman, Wheatley, has noted his displeasure with your oversight while remedying the situation.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I'd have to give them a big "Yes and No." The breakpoint is whether or not there's an active community of people looking over the source and testing it. If there is, they're more likely to find insecurities before hackers. If not, and the only people reading the source are hackers, there could be a problem. All of this to me suggests that the Open Source community should consolidate, have fewer projects, and we can all subject each other's projects to more rigorous review.
technical writing / development
Lookup Kerckhoffs' principle. Security through obscurity is a widely debated subject going all back to the 19 century, when it concerns to cryptography, and sooner than that, in the locksmith circles, and it is more or less a consensus that it is not only ineffective but terribly dangerous, because "every secret create a potential failure point".
Read the wikipedia article, it is enlightening and very insightful.
There's nothing inherently secure about closed source software or anything inherently secure about open source software. In fact, closed source software that is not secure when the source code is visible is not really secure at all.
It's just that the boys at the FCC are go getters! Who cares if they aren't software security people, it's the FCC! They see a problem and are totally pro-active to take it on. Morality cops on TV and radio? That definitely falls within assigning and licensing portions of the EM spectrum for private industry. They're just going above and beyond.
All hail the FCC!
(can I puke now?)
More Twoson than Cupertino
Joe Biden, is that you?
This sounds a lot like microsoft "declaring" they are not bound by the GPLv3. They can make whatever "declarations" they want-- it doesn't mean they are necessarily true. Sadly-- IT management and most software radio users will read that as a fact and not an opinion.
I'm sure he appointed people to the FCC who are every bit as competent as:
Brown
Chertoff
Wolfowitz
Rumsfeld
Harriot Myers
Alberto Gonzales
Scotter Libby
...it's a very long list. Should I keep going or did I make my point?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
-William Brendel
Here's my blog post on the subject, hope you enjoy: http://ultra.iblogger.org/index.php?itemid=3
"Ceteris paribus" -- assuming "allthings being equal", which they never are.
True, if you have two equally boneheaded pieces of software, then exploits in a the closed one are harder to divine -- not by much, but harder. On the other hand, if you have a piece of software that has survived years of public scrutiny by experts, that is presumptively harder to exploit than something some random engineer ginned up in secret.
Something cannot be widely reviewed (which is the gold standard in security) and secret at the same time. So generally, I think open source represents the best by far and the worst by a little of security possibilities.
The ultimate problem is that broad statements like X is more secure than Y are meaningless. You have to specify the context and threat you are concerned with. Is an open source interpreter burned into a ROM inside of microwave oven more vulnerable than a proprietary interpreter? Well, against what? Same goes for the software radio thing.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Standard Neo-con practice, appoint like-minded, highly loyal individuals into key points of power to make decisions that benefit big companies and personal investments in ways that congress can not easily effect.
Kevin J. Martin is the current head of the FCC, appointed by Bush in 2005. Prior to that, he was general council for Bush's first election campaign, then he took over the 'technical transition' when Bush/Chenny were moving into the white house. After they got settled he picked up a nice position as a white house assistant. The guy is nothing more than yet another Neo-con chronie who shows his loyalty to big business and the party line over the interests of the people and gets promoted for it.
On the bright side though, he is at least somewhat qualified for the job. He has a real degree from a real school, he worked at the FCC prior to being appointed to Chairman, and has focused much of his career in the tech/telecomm industries.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Both parties are corporate shills.
Its only the second comment and this thread is already Godwin'd
Only on Slashdot!
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
in the classic sense, it's about ensuring that some bozo can't rewrite the driver or firmware and cause the radio to violate the FCC rules the device has been registered for. Ie, overpowering the frequency, leaking into adjacent frequencies, causing undo interference, using bands it's not cleared for, not dealing with interference it may receive, etc.
I am not agreeing with the FCC on this one, but I am going to defend "security through obscurity" a little due to expected /. audience oversimplification and knee jerking. At times "security through obscurity" is a perfectly valid and desirable approach when used *alongside* other good techniques. It is only bad when it is the foundation of your security. Note that I am only addressing the security angle and not addressing open source philosophy (or for some out there religion).
...like Bruce Schneier:
"If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms. A variety of secret digital cellular telephone algorithms have been "outed" and promptly broken, illustrating the futility of that argument."from Crypto-Gram: September 15, 1999
But what could we expect from an FCC headed by a lawyer, a businessman, a professional Senate staffer, a DRM-supporter who received coaching from Clear Channel to oppose a satellite radio merger, and a professional telecom corporate lobbyist.
i am the opposite of tom_good, i am the XOR of ]=9fÆ"ÝÕ and ÖÆ\KF, i am 746F6D5F6576696C00.
I disagree with your statement that Martin is qualified for his job. Martin is not an engineer and it shows in his opinion towards BPL and other topics. Under the leadership of people like him, the FCC has concentrated more on being the morality police instead of concentrating on competently regulating the spectrum.
Enigma was publicly documented to a degree. It was based upon commercial devices from the 1920s, this greatly facilitated those who attacked it. The extensions / revisions made to the basic design were kept secret, however the weaknesses that led to its defeat were not these extensions or revisions but operator error. For example operators would send the same test message each morning, a violation of their training and procedures, and this greatly aided in the discovery of the day's configuration of the machine.
7 70229.
This example aside, your suggestion that "security through obscurity" is bad is wrong. See http://slashdot.org/comments.pl?sid=246437&cid=19
This is exactly how the FCC should be expected to rule if it is so arrogant to rule on so broad a notion at all. Not because there is any real relevant security concern on the part of the FCC. There is a "security concern" that software radio in particular can make it hard for government and industrial bedfellows to protect their profits and control however. With a proliferation of software radio, especially at the hands of the prolific open source folks, things like cell phone lock in, relative scarcity of VOIP over wireless offerings and especially mass communication fully open to government spying could be very seriously threatened. There are powerful monetary and political interests at work here. It is not really being looked at or decided on technical merits at all. It is yet another brick in the wall being built and ever improved to shutdown any real empowerment of the people through the information revolution.
Do not get sidetracked into single issues. Remember to look for the pattern.
Yes, if you did something stupid and your source code was available to the world, it could take less labor to discover your stupidity than if your source was closed.
... My OS is better than yours. Oh wait, that's also the same stupid argument. Market-share, value of the information assets, etc., all play a role. Ask me for my opinion and I'll tell you they all suck, regardless of whether they're open or not. Why? Because the fundamental building blocks we're still depending upon are not reliable, e.g. ARP, DNS, DMA (where your USB thumb drive's driver can overwrite kernel code in memory thanks to DMA), etc.
OTOH, having source available for competent reviewers does increase the likelihood that your stupidity will get caught before it goes to market or, hopefully, shortly thereafter.
But that's just it: having the source available to competent reviewers. It has NOTHING to do with whether the source is open to everyone or not.
Open source != Better Security
Closed source != Better Security
This is as stupid as the ID vs Evolution argument. These are NOT mutually exclusive points. There are many open source projects that have sucky security because they don't have competent security analysis done by competent security analysts. Likewise, there are closed source products that have decent security because they invited competent security analysts to review the code. It's not whether your code is open/closed, it's all about who is reviewing your code.
Do you need an example? Try the NSA. They have code whose source is closed to the world, but is reviewed by competent analysts.
Nanny, nanny, boo-boo
--
The unfortunate reality is that it's seldom the best technology that is adopted, just the technology that is in the right place at the right time.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
It is not their place to determine the methods used to design and bring a device to market. That seems to be counter to commerce laws. The FCC should be concerned with results.
And to be honest "security" is not the issue we're having with software radios. It's bugs. And closed source and open source software both have lots of bugs. Although the bugs are not as well known or well understood by users with the closed source implementations. It's just a black box.
The FCC would not accept hardware radio without diagrams and schematics of the design, and the FCC never punished vendors in the past for including the schematics of radios to customers. Any decent 2-way pre 1990s came with the schematics or they were available for the cost of mailing to any customer or technician.
It's just a weird direction for the FCC to go. Are they protecting our airwaves with this move? I don't see how. Therefor it is outside of the scope of their mission.
“Common sense is not so common.” — Voltaire
OK, so by changing the code on a software defined radio, I can make it work differently. This could be a Bad Thing, because I might interfere with other services, and is a valid concern for the FCC.
However, I can already do this, quite easily, with any radio I choose. I can even go to a surplus dealer and pick up a used radar set and create all kinds of havoc. It's not exactly a new "threat", but neither is it a significant one.
So, what exactly, is the FCC worried about? Clever people hacking radios to do what they want with them? It's been done for years by licensed ham radio operators and others who aren't licensed. Sometimes it's done within the rules and sometimes not. The only difference here, is that it's done by tweaking the firmware, which requires skill and specialized equipment, so probably won't be done by J. Random Luser. The world is still using their cellphones, GPS mapping systems and the police, fire, air and broadcast services are still able to operate without any significant jamming.
Hams are starting to play with SDRs. The source is open so people can learn. One of the stated purposes of the amateur service is to develop a trained reservoir of people "skilled in the radio art". I'm not sure how proprietary code helps make this happen...or how open code makes abuse more likely.
The FCC in recent years has become less of a technical regulatory body and much more of a tool for advancing political and economic agendas. Maybe it's time for them to get back to their roots and stop acting like they would do whatever the highest bidder wants.
And in reality, maybe he does so. But in all likelihood, large businesses with lobbying forces and access to the Vice President (Martin's with is an Aid to VP Chenny) likely have a lot more influence than the public at large, and perhaps even his engineers (provided they haven't also been lobbied or cherry picked neo-cons)
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
We've decrypted your text, and the FCC would like to inform you that we do not approve that sort of vulgarity! -the FCC
Ben Hocking
Need a professional organizer?
Dang, it is a good thing AES is proprietary and secret, otherwise all our banks will be at risk...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The FCC has failed time after time at their core mission. How can they be critical of areas outside of their expertise? Their mandate is regulating and managing spectrum. Hold your cell phone up to any audio device, even one without any kind of transmitter and a receiver. Here that awful noise? That's the sound of one hand clapping. That is the sound of failure my friends.
Why is all the AM/FM bandwidth is allocated as high power? Is that the only way it will work? Is commonly accessible radio only useful on a regional scale. No they are a bunch of whores for the big companies that want big inaccessible radio only.
The no copy bit? WTF?
And BTW whatever dumbass defended Bush on this you are a civics retard. The President appoints the head of the FCC, and congress risks even bigger chaos if they cut funding and there is nobody at the wheel.
Who ever is president is largely responsible for the performance and policies of the FCC, and Bush sucks!!!
Novel theory: Modern Man evolved from psychopath
First, I am a tremendous supporter of OSS, but historically there has been a learning curve for OSS development as the early developers were breaking new ground in terms of organizing contributions in a completely asynchronous manner. Until recently, open source development practices have been umm... lacking somewhat in coherence... The folks at UC Davis, Berkeley, and UMD-College Park used their constraint-based, context-aware program call flow graph analysis package to uncover what they refer to as bug churn within the Linux kernel over several successive versions... I.e. they observed previously quashed bugs resurface in later versions. Link to pdf preso: http://cents.cs.berkeley.edu/retreats/winter_2005/ cukwip.pdf
So, not to be too much of an apologist for the FCC, but in the past there was significant justification for the OSS==insecure perspective and as we all know, government is always the first to identify new trends.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
or at least misleading. It's not saying that the software is more insecure and it's not saying that open source software is insecure, it's saying that a phone with software that can be altered by a third party should be classified differently because of the hardware that it's running on. In other words, because a cell phone messes with radio waves, if the software on the phone is designed so that it can be altered by a third party, it should be treated differently then one in which the manufacturer controls the software. This isn't security through obscurity in that they're hoping for less bugs or security holes in the software, it's security by limiting the software that runs on the phone to just the hardware makers.
I hate to say it, but, some evidence suggests that obfuscation works if there is enough of it. Cryoptography is ultimately about adding cost and time to an enemies retrieval of message to deter them from attempting to read it, or at least render it less valuable by the time they do, and obfuscation can do that.
I mean, to some extent, even Microsoft's non-crypted formats are somewhat secure. No one knows how to produce an authentic Word document to the last detail. I don't see an open source file system driver for Linux that lets you reliably write to NTFS formatted partitions, the SAMBA team has numerous problems trying to read Microsoft file and print sharing stuff. If you view all of these closed source efforts as a way to "encrypt data", in the very least, MS has successfully made a lot of their software tamper resistent by the mere virtue of not publishing the source code.
This is my sig.
Open Source Security sounds very much like an oxymoron. It pretty much is if you think about it. How can you make something secure if your enemy knows how the lock is made, how everything else works. How can you keep your house safe if the locks are made so that anybody knows how they are made and know the weak points and can easily pick them? People pay top money for security and they sure as hell won't go for something that is openly available, even the people they are trying to secure their items from.
From a consumer standpoint OSS is good, but for government agencies, private industry, rich art collectors, etc. They'll want something unique and something only the owner and the creator will know how it works.
Previewing comments are for sissies!
can they really be THAT dumb or is this really about software radios being too flexible that pulling down signals they aren't supposed to is worrying both the Feds and the hardware manufacturers?
What ever the motive, it's a dumb statement to say open software is less secure than proprietary when there are many Fed created/used cypher algorithms which have shown this not to be the case. And let's not forget how secure Microsoft Windows has been for the US government at the state and fed levels.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
viruses have been repeatedly infecting large numbers of personal computers and Internet servers running Linux. For YEARS the newspapers, magazines, and Internet media sites have been full of stories detailing such infections and the losses to business and personal information that they cause. Giant zombie farms containing thousands of Linux boxes infected by simple email attachments are legendary. What amazes me is that in the face of such infection rates and personal data lost people continue to use Linux. A totally brain dead decision.
Oh, wait,..... those stories are about Windows viruses and zombies!! Never mind.
Even though Anti-Virus software houses have tried to whip up a fear factor in Linux users by adding the word "linux" to hundreds of Windows jpeg and other viruses, in reality Linux has had only 6 ACTIVE infection agents in the last 15 years. The most recent, four years ago, was called the "Slapper worm" (http://www.cert.org/advisories/CA-2002-27.html) and infected a few thousand computers in Eastern Europe who where running a commercial Linux distro that set them up as root. During that time CodeRed was infecting MILLIONS of PCs running Windows. The ONLY way a cracker can create a Linux zombie farm is by manually breaking into each box, one by one, and hoping they don't get caught. That's why the prefer Windows boxes. A simple email or a visit to an evil website is all it takes. BTW, it is also interesting to note that CERT has stopped keeping historical data on infections. One has to wonder why if it is not to protect the repuation of the most bug ridden OS on the planet.
Did the FCC regulators get confused? I don't think so. This has all the SMELL of a political decision based on undue influence, not facts. If any OS should be outlawed is should be VISTA, which scored only an 84.2% detection rate against several thousand KNOWN viruses. IF proprietary coding practices produced such secure code why is VISTA so INSECURE?
Has someone at the FCC taken a bribe?
Running with Linux for over 20 years!
No I didn't RTFA, because I was stumped by something before I could even care about the topic of TFA: Why does my radio need to be secure?
I've got several analog radios around the house, and the FCC apparently doesn't give a damn about whether they're secure or not. I don't need an encryption key to turn them on and listen to the news or music. I could go get a bucketful of electronic parts and build a device to receive AM or FM signals. If I wanted to sell such a device I might have to get certification that it doesn't interfere with any other receiving equipment, but I don't recall seeing any FCC notices on my radios about security or anything.
Surely this isn't just because somebody wants to create a locked-in environment where you have to pay to play (or listen)? Surely there's a more fundamental reason why the FCC is worried about the security of my radio. If there is, somebody please point it out.
[b.belong('us') for b in bases if b.owner() == 'you']
Interesting that they apparently didn't consult folks at NSA. Their operating hypotheses for any US cryptosystem are:
1. The equipment is known and available for disassembly and testing
2. The algorithm is known or discernable from the equipment and related manuals
3. You have lots of output data from the device (the underlying plain text is properly)
4. You don't have the key...that's what you need
While I will grant that most folks never see any of this (most equipment, algorithm details, and key parts of repair/use manuals are classified), they assume the worst case and still make it secure. In other words, like having open source code and figuring out the key from that and clean output.
While "Security through Restricted Access" is a very good practice, the argument is STUPID at best, and downright biased towards closed, proprietary software vendors. Frankly, these people couldn't encrypt their way out of a wet paper bag with a pen, ruler, and other sharp things like their pointy little heads.
If they think it is "less secure" we can lock them up somewhere with whatever they want to crack an open source cryptosystem used as the jail lock and see how soon they get out. I hope they include a lifetime supply of food, water, toiletries, medicines, etc. I think a simple 1024 bit Elliptical Curve Cryptographic system will keep them safely behind bars for several decades, if not their lives.
Where do they find these bozos to fill these positions? I'd like to know so we can close that source of universal stupidity off and make the world a better place...
I guess these folks will never qualify for one of my D.O. letter...they're either just too stupid or have such low IQs that they need to be institutionalized immediately.
Supreme Granter of Doctor of Obviology Letters ("A FIRM Command of the Obvious")
but wouldn't they spin the hacks as evidence of the degraded moral character of open source advocates? Then those hacks would be used to harden the proprietary products.
We are not going to get anywhere trying to reason with these people.
Perhaps your experience differs, but most people I know are unaware of these issues, or know only as much as they learn while listening to a soundbite on the evening news. We can't reason with the rulemakers, and we can't make this a popular issue because most people have 'more important' things to worry about.
We need to use a bit of creativity and innovation to find a new approach. Unfortunately I have no suggestions at this time.
Regards.
This is up there with the state of Indiana nearly passing a law stating that Pi would be equal to 3.14.
http://www.straightdope.com/classics/a3_341.html
Pi is not a rational number: this is a natural law.
Legislatures, no matter how hard they try, can't repeal the law of supply and demand: it is a natural law.
Similarly, a government bureaucracy can't simply decree that Open Source is less secure: the greater security of open source software may not be considered a natural law yet, but it's getting there.
[ home ]
Government is customer managed and you get what the majority deserves :-(
To the person with only a hammer, everything looks like a nail...
Not all government is bad and wasteful; it can and does out perform the private sector more times than Americans are sold to believe.
This may be hard to grasp, but its partially YOUR fault if you can't manage your government employees. (FYI, one of your management tools was the purpose of the 2nd amendment!)
As Ben Franklin essentially said, any government well administered is good government and all eventually fall (as a result of despotism; society is not a spectator regardless of what they may think.)
Democracy Now! - uncensored, anti-establishment news
Ironically, Microsoft execs are Democrats, not Republicans. On top of that, a few if not all are Atheists. If you don't believe me, just take a look at who they gave most of their donations to. They donated more to the DNC than the RNC.
before i've read the article or comments i would like to point out the obvious failure of "Security through Obscurity" in the cracking of HDDVDs FOREVER.
"Martin earned a B.A. from the University of North Carolina at Chapel Hill (where he was elected Student Body President), a Master's degree in Public Policy from Duke University, and a J.D. from Harvard Law School. He is a member of the Florida Bar, District of Columbia Bar and the Federal Communications Bar Association." http://en.wikipedia.org/wiki/Kevin_Martin_(FCC)
Last time I checked, FCC stood for Federal Communications Commission, not Federal Constitutional Commandment.
"Don't let fools fool you. They are the clever ones."
This works for physical locks, but not cryptography. Read up on PGP.
Or, maybe I should explain it this way...if I can build a lock, give you the blueprints, give you the lock, give you the key that locks it (but not the one that opens it)...and you still can't open it, then that is security. That is what we are talking about.
Proprietary code is the cryptographic equivalent of someone's little sister hiding her diary and saying it's unreadable; as soon as her nosy brother finds it, he will open it (maybe brute force its cheap lock open) and read away. Or scribble in the margins, or whatever. Hiding does not make it unreadable.
Now, if she used PGP...
And if people are stupid enough to pay for something that does not protect them as well as something they could get for free, then they deserve what they get.
i am the opposite of tom_good, i am the XOR of ]=9fÆ"ÝÕ and ÖÆ\KF, i am 746F6D5F6576696C00.
Perhaps, the FCC (and NSA) is concerned that it will have a harder time snooping in on our conversations because Open Source encryption will improve at a faster rate due to community involvement. So, they spread a little FUD, if not outright lies, in the hopes that people will use the closed source communication stuff and the government may merrily go about its listening posts.
And, by the same idea, closed source software with hidden backdoors that anyone can exploit is inherently more secure than open-source software that anyone can view the source of, and said closed source software should be used on all government machines.
Despite the people who looked at the source telling everyone on IRC the secret root password, and giving people a few terabytes of sensitive government information in the form of a distributed torrent.
Federal bureaucrats technically illiterate? Uninformed? Geeze, reminds me of every middle manager I worked for in the 90's and early 2000's. I'm hopeful things have changed here in the business world a little bit. Any hope for the feds? Another decade maybe?
New Music!
"You can always turn the television off and, of course, block the channels you don't want.... But why should you have to?"
Kevin J. Martin
FCC Chairman
Human nature will make secret ciphers easy to break, you can count on it. Also, you can't validate a secret to make sure you are using a strong cipher, so you can't count on it being secure.
Of course, secure and obscure is never worse than just secure. It may be much better, slightly better, or as good as... In cryptography it is as good as, so why take the risk?
Rethinking email
FCC recently received a large donation from M$.
Great! Now the next step for the FCC is banishing free software at all markets, not just RF transmiters...
And now it is just a matter of time until they banish transistors, and resistors, and wires...
Rethinking email
First off, I didn't read the article, just the comments, so if I'm completely off base here, mod down appropriately... It seems to me that the goal is to prevent random people from making changes which cause disruption of service. While open source software would make it trivial from a software standpoint, the hardware still has an easy way to prevent it. Signed binaries. The hardware, much like an xbox360, could simply refuse to boot software which isn't signed by a specific private key. If that part of the boot process is part of the silicon itself, so the OS/BIOS/Whatever you want to call it, must be signed properly in order to run, then the fact that anyone can see and modify the source doesn't matter until the private key is leaked or found on by some other means. This would seem to me a good way to allow for open source without worrying about unauthorized tampering of the software to make the radio do something it shouldn't. Of course, if the software is buggy and can be exploited in some means to run unsigned code or do something it otherwise shouldn't then you still have a problem, but as Microsoft, Apple, Cisco, IBM, HP, and every other software development firm in the world who has actually released code to the public knows ... closed source doesn't prevent exploits, it just prevents the peer review that can find them and make them known.
I donno, just seems like your typical decision made by people who don't fully understand what they are deciding on.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I agree. As compared to President Clinton's people, all of whom were 100% literate in all their areas of responsibility and never did anything illegal or immoral or stupid. Who only cared about the people of the U.S., not any special interests.
If it's open, then it must be less secure. I mean, it's like an open door versus a closed door. Of course closed is more secure.
I mean, it's not like you can take closed source, say on Windows, and start/run debug (enter) and type u (enter) and see the code at it's machine language to reverse engineer it. Or use a hex editor to see stored hardcoded passwords in an executable. Closed source prevents all that.
AES-256 is recommended for TS/SCI. Of course, it has to be a NSA-vetted implementation, and requires the use of the existing key management infrastructure. But uh, those old classified ciphers should go away eventually.
that's pretty neat if you ask me...
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Non Sequitur: Proof that Windows is not secure is not proof that open source is secure.
Lack of viruses for Linux may be a result of there being many fewer Linux computers than Windows computers. Why work on a set of computers comprising 5% when one can work on a set of computers comprising 90%? Windows is a much more tempting target than Linux because the pay off in success is almost 20 times larger.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
The issue is that this ruling benefits Cisco that wants to defeat the likes of Linksys, Netgear and others that are beginning to deliver "decent" solutions with cheap radios and the help of hobbyists leveraging open source software. If you require that some of the SW is closed, you cannot leverage the benefits of the open source module on that bit you have closed. You also have to end up spending more time organizationally to support the effort, because you have to maintain two sets of documents -- one for the closed section, and another for the open section. You have to support binary compatibility, or some mechanism for the open source to integrate with the closed source firmware... it just becomes that much more of a burden for Cisco's competitors to develop and maintain their solutions.
So, please, don't flood the FCC with emails telling them that "Open source /is/ secure" -- from the standpoint of regulation, it's not! Flood them instead with messages that say, "This ruling is entirely prejudicial against many companies leveraging Open Source software for their solutions."
> Security through obscurity is rightly derided, but not because it has no value.
You're making one mistake that non-techies commonly make....If you don't have the source code, then you don't have the algorithm. This is far from true.
Any cracker worth his salt can read assembly language and won't have any problems in converting assembly language into an algorithm. It's often even possible to use a disassembler to convert assembly language into C since most algorithms do little more than mathematics (mostly done by the co-processor, so it's easy to spot these and convert them into C function calls or C operations).
Security through obscurity is about as safe as assuming that not telling anyone that you've closed your doors and windows are closed (but not locked). Sure, it will stop the casual burglars who prefers to see that the window is open before even attempting coming in, but any burglar worth his salt wouldn't ignore a seemingly closed door (lock or no lock). If you want safety, your best approach is to use a well proven *public* design that's been hardened by public scrutiny. Like it or not, you're bound to make a mistake if you try to be too smart in security and go your own way since security is so hard to get right (it's only as strong as the weakest link).
http://www.unwords.com/unword/sarchasm.html
- It's not the Macs I hate. It's Digg users. -
Comment removed based on user account deletion
Software defined radios could contain hardware chips that define maximum power and frequency limits. Hackers could still modify the rest of the software. Its not an either-or situation.
You would figure after more than a decade (maybe two) of proving the stupidity of "Security Through Obscurity (STO)" [proprietary software OS/apps/products, voting machines ...] that all government managers globally would know that STO is a damn dumb highly insecure positions for everything. In WWI, maybe WWII STO had some benefit, but today STO is a position for any idiot (in government, business, religion ...) to take and make their own before being retired with cause.
REMEMBER: Government/Business workers are not the problem, but the higher the stupid management the bigger the problems for natural disasters, security, cost.... Consider present conditions no exception for today or tomorrow, due to friend/family nepotism.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Comment removed based on user account deletion
First, nice try with changing your argument, but no, you don't get to do that. You said something stupid and wrong, stop trying to change it now. Second, where does it say that the FCC uses these technologies? You already said in this very thread that you "wouldn't be surprised" if they used them now you're trying to pass off your assumption as fact.
You said something dumb because you misread the quote you thought made your point. Stop pretending and just admit it.
I hate to say it, but, some evidence suggests that obfuscation works if there is enough of it.
And it all depends on what is meant by "security".
The FCC could care less about how hard it is to recover the message or break the box. What they're concerned about is how hard it is to modify the box to operate outside their regulations.
It's a lot easier to modify the function of a peripheral if you have information about it - including commented source for the controlling driver - than if you don't. Don't believe it? Look how long it took - and still takes - to write blob-free fully-functional Linux drivers for winmodems, graphic accellerators, WiFi chipsets, etc. Listen to the cries for documentation from the driver and kernel development projects.
The FCC says "Thou shalt not publish the source code to the parts that control the radio." Since FOSS licenses REQUIRE the vendors to publish the source code, FOSS is thus effectively forbidden, since it would not be possible to abide by the software license and the FCC license simultaneously.
As for vetting the code, the FCC reserves the right to demand the source of ANY software - proprietary or not - used in a type-approved software-defined radio. They say they probably will rarely want to look, and will probably honor the company's request for confidentiality unless they have some reason not to, but they do demand it be forked over whenever they ask. So arguments that they can't vet it because it's closed are moot.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I have been seeing it for quite a while now. NTFS-3G, which works within the FUSE userspace file system framework, has an excellent reputation for reliability.
That is FUCKING BULLSHIT.
Much like many studies, hearings, investigations, and other such things in the US these days, I suspect the result was a forgone conclusion prior to any "deliberation" on the matter.
Using another example from cryptography: Which is more secure, public or private key systems? The answer is of course private keys. Why? Let's rephrase the question: Which is more secure, a public key system or a public key system where the keys are kept secret? Obviously the later. Hard as it is with a known key, you absolutely cannot (for example) factor an RSA key you don't have. This of course has little to do with what the FCC says.
If you're going to offer a rebuttal, the least you could do is post a list for comparison, otherwise you look like a Bush apologist.
Probably a significant percentage of all webserver computers in the world run on Linux or one of the BSDs (all open source so vulnerable according to the FCC :-)). Those are more interesting targets qua hardware and network connectivity, for a set of zombie computers rather than just any old PC which gets turned off at night, has a slow connection, etc. etc.
I think it's a pity there are no good statistics. Netcraft has estimated numbers on the different webservers though (IIS = Microsoft, but Apache doesn't imply Linux or BSD). But lately those statistics have been polluted (look at the sudden bumps in the graph).
To be, or not to be: isn't that quite logical, Slashdot Beta?
The "why should you have to?" is in reference to paying for channels that you have blocked or don't watch. I have to agree with him on that.
Support Right To Repair Legislation.
And these are the people you want protecting net neutrality?
If this is in regards to open-source Wi-Fi firmwares and FCC certification, the FCC has a completely different type of "security" and "hacker" in mind than what most people think of when they think of computer security and crackers.
The article (and summary, and most users) are assuming they are talking about data and computer security - preventing malicious users from spying on other users' data (classic WiFi example - WEP cracking), and from compromising a users' machine (Intel WiFi driver compromises.)
I'm fairly certain that the FCC is talking about a different kind of security - a device licensed by the FCC to transmit is only licensed to transmit on certain frequencies with certain modulation schemes, often with addition restrictions on power levels (some of which may be frequency-dependent.) Also there are sometimes restrictions on what frequencies a device may receive. For example, it was (and likely still is, although it's no longer relevant) illegal to sell radio receivers that covered the 800 MHz cellular bands. In terms of "security", the FCC is talking about preventing licensed transmitters from being modified to transmit out of their licensed band, in unlicensed modulation schemes, at unlicensed power levels, and sometimes receiving frequencies that no one is allowed to sell a receiver for in the United States.
The problem is that in this regard (preventing modifications to hardware functionality), Open Source is indeed fundamentally less secure - The whole idea behind Open Source is giving the user the freedom to modify their software and add functionality, and with modern software-defined radios, and modifying the software fundamentally modifies the behavior of the hardware. This freedom to modify the hardware is EXACTLY what the FCC does not want users to have. It is in theory possible to get tamper-resistance in a manner similar to what the FCC wants (see TiVo for an example of a vendor who has satisfied MAFIAA tamper-resistance requirements while using open-source software), but not without going against the fundamental spirit of Open Source. There's no point in the source being open for a piece of software if the hardware refuses to run it unless it's signed by the vendor (See TiVo again).
So far the open source community has yet to show a workable solution for open-source drivers that prevents the user from "unlocking" additional frequencies/modifications/power levels on existing software defined radios without a simple source change and a recompile. I'm honestly not sure if there is a workable solution to such a problem that doesn't involve anti-tamper via code signing, which as I said before kind of defeats the purpose of open source.
retrorocket.o not found, launch anyway?
A few years ago the FCC was overhauled in an effort to speed the processes of approval and allocation. At that time the most common complaint was that it took years to obtain approval for new technology. The truth is, that the old FCC did seem to drag their feet and yes, it was rather difficult to get approval for new technology and to get a piece of the radio spectrum reallocated you may as well forget about it. People and industry did have a lot to complain about. When the FCC did make a decision, it was (almost) always the right one, it had been well researched and lobbiests and lawyers had little influence, even the politicians really had very little say.
When the system was overhauled, it was done with the best of intentions. They allowed industry access in ways that they never had before and the FCC had to start to rely on information presented by the very industry that they were intended to police! Today, we could almost describe the industry relationship with the FCC as symbiotic.
The FCC has as it's primary charge the responsibility of making the public airwaves work for the public. They protect these airwaves by allocating frequencies, by approving new uses, and by certifying equipment that may use or interfere with the public airwaves.
With technology changing so fast, and the airwaves being so crowded, and all sorts of new ideas (good and bad), the FCC has lots to do. Congress told them to work faster and be more responsive to industry. Industry does not want OSS, they view it as competition. They would rather develop copyrighted and even patented software to do this stuff so that they can earn a healthy return on investment. The FCC is simply echoing this as they have been instructed by congress to do (they see it as working with industry).
OSS is sort of socialist when you think about it from the closed source standpoint. It is a threat simply because it is free. You would think public airwaves would be a place where free software would be at home -- and it should be but it isn't. Becuase the FCC is no longer really allowed to make the best decisions for the public. They must now answer to the very people they are supposed to police. That is simply wrong; they should answer to the public and the requirements of international treaties.
...everything in open source is unsafe, and linux should be bashed to death with a blunt object? At least thats what an idiot or a M$ zealot would believe by reading this. Then again these are the kind of people who are trolls and don't know how to read either.
In the end, nothing is safe, there are always weaknesses waiting to be exploited.
"The issue is that this ruling benefits Cisco that wants to defeat the likes of Linksys, ..."
Linksys is part of Cisco.
Why would Cisco want to defeat part of itself?
What is truly amazing is that there are still millions of flag-waiving fanatics out there that support this soul crushing fascist state.
"Find out how much oppression a people are willing to tolerate, and you will have discovered the exact amount they will be subjected to." - Frederick Douglass
"Why are we letting a crazy old person run our country? We're asking to be shot in the face." - Jon Stewart
> ALL the Federally APPOINTED people , are BUSH supporters, and they fail to know the law!
Actually like any other band of criminals, they do know the law, they just don't care.
"The constitution is just a goddamn piece of paper" - George W. Bush
No, keep going. Hahaha
The NSA doesn't seem to agree"
"We're 5 posts in because I saw these subtle connections and others didn't."
You're a fucking liar. You made a mistake, and changed your argument. Your original argument had nothing to do with your current argument, so stop lying.
"I'm not the one here stamping my feet..."
Um, yes you are. You're wrong and continue to change your point, insisting it was your original point all along, even though it's clear that's a lie.
The only thing you showed is that you'll lie and obfuscate as much as necessary to preserve what little self-worth you have left.
When are you running for office?
The president has ruled that war is peace. Since he ruled it, it must be right.
In this context, the FCC define 'secure' as 'unable to mess up the spectrum by transmitting out of the licensed band, using too much power or doing anything else nasty that'll mes up the spectrum'.
An open source device, with a "#define FREQ_HZ 123456" in a header file somewhere, will be 'less secure' in this context as it'll be trivial to break spectrum licensing rules.
The problem is that it is not easy to tell if your foundation is secure without considerable peer review. By adding the obscurity element you lose your peer review.
It is a fallacy to think that peer review requires open source. Considerable peer review does not require a million monkeys, a small number of outside experts under non-disclosure agreements can do quite nicely.
"There is no reason why regulators should discourage open-source approaches ..."
... except corruption
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
More seriously, security through obscurity is only of marginal usefulness for obscure purposes. Maybe Joe Schmoe can't find his way past some obscurity defense, but if something is widely distributed, such as a publicly distributed software radio, then any obscurity element will likely be compromised quite quickly and quite trivially as soon as someone qualified to do so gets his or her hands on one.
... After many months they figured it out, but in that time the developers had a patch waiting in the wings with new code, new protocols, new interactions, ... The hackers made their breakthrough, the developers released a patch, the hackers had to start all over. This was the plan all along. Had the project been open source the hackers could have made their breakthroughs in a couple of weeks, maybe less, rather than many months. The point of obscurity was to slow down the hackers to a manageable rate. And of course, obscurity was not the foundation of the real security, it was just an element that kept hackers busy with less important things for a far greater amount of time than they would have liked. Don't underestimate the value of boring hackers with drudgery, of making someone else's project more interesting than yours.
Your use of obscurity seems quite narrow, as if it is confined to only a crypto algorithm. In reality it is far more complicated than that. Once upon a time I witnessed a closed source project that leveraged obscurity. It had hundreds of thousands of online users, an active hacking community, and obscurity greatly slowed down the progress of hackers as they revere engineered a closed source system, code, protocols, complex interactions,
Go a head and mark this -1. But this speech by Keith Olbermann points out how our own goverment was SOLD to private group by letting people who run private group run our government.
F*ck the FCC!
The Rapture is NOT an exit strategy.
It takes one and only one person to post a vulnerability and it's exploit on this thing called the IntraWeb... er, Internet
..come again?
so which are the experts that FCC consult?
I enjoy my daily dose of Slashdot, but honestly whoever wrote this is trying to hype this thing way out of context.
l
The FCC in NO WAY made any comment on the security of opensource software. They merely said the using opensource based software defined radios in commercial products would be hard to gain approval, due to the obvious fact that if users can modify that software they can do things such as increase power or change operating frequencies which are illegal because they can allow interference with others' communication devices.
This is also potentially dangerous because it could interfere with law enforcement, ambulances, or any other kind of emergency or important communications.
Now, if we want to argue on the point of how opensource can be used while limiting the user from making serious/illegal changes to software modems, that's one thing. (I don't see how this could ever be worked out under the tivoization clauses in GPL3).
But lets not get all fired up at our FCC when it really hasn't said a thing about the "security" of opensource projects. Don't believe everything you read on Slashdot folks - think for yourself and make sure you read the real source documents before you fire off like idiots.
A more balanced article about this topic:
http://www.linuxdevices.com/news/NS9075126639.htm
The REAL FCC document:
http://edocket.access.gpo.gov/2007/07-2684.htm
And what does it matter if it was coded by the lowest Indian bidder? The company who did, doesn't give a fuck about what you think of their offshoring policy and just cares about increasing $$.
Welcome to Corporate America. Shitting on the little guy.
Quite a few posters in this thread seem to be missing the point of the ruling. That's easy to do when you only read summaries designed to push a certain point of view, and don't dig into the source material yourself. So let's have a look at the actual ruling:
To minimize the filing burden on manufacturers, this requirement was narrowly tailored to affect only those radios where the software can be modified by a party other than the manufacturer because such radios pose a higher risk of interference to authorized radio services.
(emphasis added) Now, here comes the actual snippet that seems to have a lot of people up in arms:
The Commission hereby states that it is its policy, consistent with the intent of Cognitive Radio Report and Order and Cisco's request, that manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a software defined radio public, if doing so would increase the risk that these security measures could be defeated or otherwise circumvented to allow operation of the radio in a manner that violates the Commission's rules. A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.
Again, emphasis added. FCC is not saying that OSS is inherently less secure. They are saying that it's their policy to make it difficult to modify a radio such that it violates FCC rules. That's all. It might even be possible, given the stipulation above, to do this with OSS. Of course you might run into the 'tivoization' clause of GPLv3 in so doing ...
Fuck that! In a perfect world, answering the question "does this device cause harmful interference" and prohibiting it from use if it did would be the sole extent of the FCC's power!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Its probable that part of the reason the FCC believes open source is more vulnerable is that by nature open source vulnerabilities are more quickly reported and visible. I've seen this happen with the security team where I work. Because there are more reports of vulnerabilities to some pieces of software it is viewed the software is more risky
The real reason though is the close source software denies or never announces any vulnerabilities, so the number of reports is lower.
I say that instead of fighting the FCC to change their stance we should ask that instead they put out a mandate that all purveyors of this type of system be required by law to report any and all discovered, exploited or theoretical vulnerabilities to systems that would be use for the people's airwaves
closed source is the only way to go.
Look at Microsoft. First it was the alleged "NSA key" - now they've ADMITTED LETTING the NSA break into Vista - allegedly to "improve the security".
So of course the NSA found X ways to break in - and told Microsoft about X minus n of them.
Morons.
Anybody with anything whatever to hide who uses Vista now has to be a complete moron.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
USA is a republic run by democratically elected representatives!
The republic has fallen slowly at an increasing rate since the civil war.
Voting is so corrupt we don't know who actually wins unless its by landslide.
Representatives do not represent their constituents any more than they have to but instead serve corporations and banks.
The media (the 4th branch) was poorly defined and protected and as a result it is now useless.
The USA is not an aristocracy; or at least not a direct one...
Government DOES produce things, but primarily government provides/produces services.
Government DOES outperform the private sector whenever the overhead costs are less than that of private organizations to perform the same product/service. Government is NON-PROFIT (its supposed to be) and its success is impacted by "voting with your ballot."
Private orgs must make a PROFIT and have no accountability outside of that; in case you did not know, "voting with your dollar" is undemocratic by definition and far easier and open to rig and corrupt (if PROFIT doesn't cause it to go corrupt faster.)
Democracy Now! - uncensored, anti-establishment news
That term "closed-source" is nice but incorrect.
What do you think that assembly that's produced from my IDA is?
This is a direct attack on GNU Radio, a project that every self-respecting hacker should at least know about, if not actually using it.