Slashdot Mirror

← Back to Stories (view on slashdot.org)

FCC Rules Open Source Code Is Less Secure

Posted by Zonk on from the tell-that-to-apache dept.

An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"

12 of 365 comments (clear)

  1. SFLC has white paper on the subject by bkuhn · · Score: 5, Informative

    Over at the Software Freedom Law Center, we've published a white paper regarding the new rules. That might be of interest to some.

  2. Wavelength restrictions by romiz · · Score: 5, Informative

    The problem the FCC (and every other emission regulation body) has with open source and software radio is that it will be trivial to modify a device using these methods to emit at an arbitrarily high power level over a restricted wavelength, or using a band without using the proper medium access control. If this happened, the wavelength would be pretty much unusable for all other users until the FCC tracks down the emitter, and shuts him down.

    That's why today, most radio-enabled devices, and especially mobile phones, have to pass type conformance to be commercialized in a geographic area. In the current state of things, if the radio software can be changed by the user, the type conformance cannot be awarded. Software radio makes things worse, because it is harder to justify that a component cannot emit at a given frequency, if changing the software in this component would allow switching emission frequencies at will.

  3. Re:Wow... Governmental doublespeak by gEvil+(beta) · · Score: 3, Informative

    It's not the same group making these statements. The FCC is the one who has said that "security through obscurity" works, while the SDR Forum (an industry group) cited SSL as a counterexample.

    --
    This guy's the limit!
  4. Re:Amusing by Lockejaw · · Score: 3, Informative

    Had the radio operators been a little more careful, it would've been a lot harder to break Enigma.
    Yes, a lot of their communications were so formulaic that you could start the day with a known-plaintext attack, recover the key, and then use it to decrypt the rest of the day's communication.
    --
    (IANAL)
  5. It's just another one of the Bush-buddy coat tails by RingDev · · Score: 4, Informative

    Standard Neo-con practice, appoint like-minded, highly loyal individuals into key points of power to make decisions that benefit big companies and personal investments in ways that congress can not easily effect.

    Kevin J. Martin is the current head of the FCC, appointed by Bush in 2005. Prior to that, he was general council for Bush's first election campaign, then he took over the 'technical transition' when Bush/Chenny were moving into the white house. After they got settled he picked up a nice position as a white house assistant. The guy is nothing more than yet another Neo-con chronie who shows his loyalty to big business and the party line over the interests of the people and gets promoted for it.

    On the bright side though, he is at least somewhat qualified for the job. He has a real degree from a real school, he worked at the FCC prior to being appointed to Chairman, and has focused much of his career in the tech/telecomm industries.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  6. Go with the big guns... by tom_evil · · Score: 5, Informative

    ...like Bruce Schneier:

    "If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms. A variety of secret digital cellular telephone algorithms have been "outed" and promptly broken, illustrating the futility of that argument."

    from Crypto-Gram: September 15, 1999

    But what could we expect from an FCC headed by a lawyer, a businessman, a professional Senate staffer, a DRM-supporter who received coaching from Clear Channel to oppose a satellite radio merger, and a professional telecom corporate lobbyist.

    --
    i am the opposite of tom_good, i am the XOR of ]=9fÆ"ÝÕ and ÖÆ\KF, i am 746F6D5F6576696C00.
  7. Re:Why is the FCC regulating security? by db32 · · Score: 4, Informative

    It is exactly as you said. They don't want the populace spewing things into the RF spectrum that they can't manage. So one or two pirate radio stations spring up and are easily hunted down by the FCC. Now, with easy to "hack" software radios everyone could start broadcasting any information they want, in any format, on any frequency, at any power, etc...and there would be no way for the FCC to even begin to track that kind of rampant violation down.

    If one guy is in the street protesting it is easy to control and quell. If its 10,000 guys in the street protesting it gets a little harder, if its 10,000,000 guys its basically imposisble.

    --
    The only change I can believe in is what I find in my couch cushions.
  8. Re:Amusing by TheRaven64 · · Score: 4, Informative

    I don't believe they actually captured an Enigma device itself. The Poles captured an Enigma machine and sent it to England when Poland fell, and GCHQ had a simpler version (same principle, fewer wheels) long before the war. One of the biggest factors in cracking the Enigma code was the fact that the German high command insisted that the settings for every wheel had to change every day. This dramatically reduced the search space. Once you'd cracked the code for one day, the number of possibilities for the next day were much smaller than if they had been completely random. I always remember this whenever I get a password rejected by a system because it must contain at least one uppercase letter and one number...
    --
    I am TheRaven on Soylent News
  9. Uh...This is So Wrong...So Wrong... by PatSand · · Score: 4, Informative

    Interesting that they apparently didn't consult folks at NSA. Their operating hypotheses for any US cryptosystem are:

    1. The equipment is known and available for disassembly and testing

    2. The algorithm is known or discernable from the equipment and related manuals

    3. You have lots of output data from the device (the underlying plain text is properly)

    4. You don't have the key...that's what you need

    While I will grant that most folks never see any of this (most equipment, algorithm details, and key parts of repair/use manuals are classified), they assume the worst case and still make it secure. In other words, like having open source code and figuring out the key from that and clean output.

    While "Security through Restricted Access" is a very good practice, the argument is STUPID at best, and downright biased towards closed, proprietary software vendors. Frankly, these people couldn't encrypt their way out of a wet paper bag with a pen, ruler, and other sharp things like their pointy little heads.

    If they think it is "less secure" we can lock them up somewhere with whatever they want to crack an open source cryptosystem used as the jail lock and see how soon they get out. I hope they include a lifetime supply of food, water, toiletries, medicines, etc. I think a simple 1024 bit Elliptical Curve Cryptographic system will keep them safely behind bars for several decades, if not their lives.

    Where do they find these bozos to fill these positions? I'd like to know so we can close that source of universal stupidity off and make the world a better place...

    I guess these folks will never qualify for one of my D.O. letter...they're either just too stupid or have such low IQs that they need to be institutionalized immediately.

    --
    Supreme Granter of Doctor of Obviology Letters ("A FIRM Command of the Obvious")
  10. Re:Where's the NTFS writer then? by gsking1 · · Score: 5, Informative

    I get your point.. BUT. There is a very good NTFS writer for Linux http://www.ntfs-3g.org/

  11. We are talking about REGULATORY security by m6ack · · Score: 5, Informative
    The FCC is not talking about security in a way that most of the people in this thread are talking about. They are talking about REGULATORY security. For instance, they want to make sure that a radio cannot produce so many dBm spectral emission outside of it's band when it is operating in it's intended band. They want to make sure that your Linksys doesn't output more than so many dBm so that it doesn't blast out the neighbor's network. That is what they are talking about -- and they see these as the real hurdles in qualifying SW defined radios. They would rather have regulatory control at the developer's level than having to resort to investigation and bringing individuals to court.

    The issue is that this ruling benefits Cisco that wants to defeat the likes of Linksys, Netgear and others that are beginning to deliver "decent" solutions with cheap radios and the help of hobbyists leveraging open source software. If you require that some of the SW is closed, you cannot leverage the benefits of the open source module on that bit you have closed. You also have to end up spending more time organizationally to support the effort, because you have to maintain two sets of documents -- one for the closed section, and another for the open section. You have to support binary compatibility, or some mechanism for the open source to integrate with the closed source firmware... it just becomes that much more of a burden for Cisco's competitors to develop and maintain their solutions.

    So, please, don't flood the FCC with emails telling them that "Open source /is/ secure" -- from the standpoint of regulation, it's not! Flood them instead with messages that say, "This ruling is entirely prejudicial against many companies leveraging Open Source software for their solutions."

  12. Nice edit by Comboman · · Score: 3, Informative

    The "why should you have to?" is in reference to paying for channels that you have blocked or don't watch. I have to agree with him on that.

    --
    Support Right To Repair Legislation.