Slashdot Mirror
FCC Rules Open Source Code Is Less Secure
An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"
Just goes to show how much a bunch of gov't bureaucrats know. Or maybe there just being ass-kissy with business again.
Because Security Through Obscurity totally worked for:
MPAA (DeCSS)
Nazis (Enigma)
Xerox (Robin Hood & Friar Tuck)
Microsoft (just about any form of security they've ever had)
and about a billion other examples
Karma: Non-Heinous
If I'm trying to break into some code, and I can read the source code to determine how the author protected it, I'll have an easier job (note: "easier", not "easy") because I can home in on the algorithm the author used. I know whether it's Blowfish, DES, AES, IDEA, or a simple XOR or substitution cipher. I know what pre-encrpytion steps were taken, and what post-encryption algorithms were used.
Let's say that in a moment of insanity, I decided to use a basic XOR encryption routine (create each byte in the encrypted stream by XOR-ing the corresponding source byte with every byte in the password save one, rotating that one as I iterate over the source). This is completely and utterly trivial to crack if you have the source code and *know* the routine I used. It's a repetitive cypher, so it's reasonably obvious unless the password is of significant (a sizeable fraction of the source's length) as well. Note the difference - it's easier with the source code.
Now that's a contrived example - no-one in their right minds would use an XOR cypher, but the same principle applies to harder encryption techniques. If you *know* what system was used to protect the source, you have an advantage over not knowing... Did they gzip the source before encrypting it ? Did they use ZIP, RAR, or 'compress' instead ? Did they XOR to hide the obvious compression header ? Is it inverted (last byte first) or was any other transformation done *before* the encryption stage to try and make it non-obvious that a successful crack had taken place ? These are all "knowns" if you have the source code...
So, yes, it is easier when you have the source code. Security through obscurity is rightly derided, but not because it has no value. It is derided because it leads to the use of insecure encryption methods (small keys, using XOR/whatever instead of proper hard encyption, etc) and the fact that once the obscurity is cleared up, there's no more security. The idea is that if you are sufficiently confident that your encryption is unbreakable, you *can* document how you did it in public. That doesn't mean you *should*.
The point though, and why I disagree with the regulators, is that if you're using hard encryption, it really doesn't matter whether it's *easier*, it's not *easy*. It is in fact still so damn hard, that we're talking "impossible in our lifetime(*)" - the relative comparison makes no sense. It's akin to measuring the height of Mount Everest at 6-month intervals - it's always pretty darn high, though you might find some variance due to snowfall.
So, yes, they're right. But by not considering the (tiny) impact of their conclusion, they have made the wrong ruling.
(*) Modulo the discovery of an easy way to crack the encryption technology, of course.
Simon.
Physicists get Hadrons!
And we keep voting the same crew into office who keep appointing the same bozos to the FCC... shame on us.
OCO is Loco
from TFR:
A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.
By this they probably mean, if the radio is open source then any DRM is useless, and this is insufficiently respectful of the benighted Copyright Holders of whatever is being played, thus it is "less secure."
I am somewhat perplexed as to why the FCC would need to be regulating the security of consumer devices. For organization that need secure communications, there are already many government and private certifications, that insure this. But why on earth would they restrict consumers from purchasing non-secure software radios if they don't need them?
Is this because they feel that software radios could be hacked to broadcast outside of their certified frequency and power limits? Or because they think they need to protect the public from buying 802.11 routers with crappy WAP implementations?
The security bit is just a cover story. This is about some perceived danger to the RIAA, MPIAA and similar cartels.
The FCC has absolutely no power to regulate nor any say at all in how software radio or television are implemented.
n s/200505/04-1037b.pdf
The FCC commisioners are deluding themselves, again, if they think Congress gave them the power to appoint monopolies.
They have already been slapped down once with regards to the DTV Redistribution Control flag and they're about to be slapped down again.
What's next, washing machines and clock radios?
http://pacer.cadc.uscourts.gov/docs/common/opinio
If the Foolish Child Commission can't remember the limits of their power, We the People will be more than happy to remind them, spank them and send them to their 'time-out' corner once again.
Well, if they [FCC] are going to take this stance, it is our duty to enlighten them as to the consequences of their actions.
I would like to see a Month of Closed-Source Software Raido Hacks
Then they [FCC] will discover that since the closed source software radios are not examined by independent unbiased debuggers, the possibility of bugs, bad encryption schemes, et al is a very high possibility.
Maybe then the government bureaucrats will see the merits of Open Source.
My backup chemistry thesis stored on Data Storing Bacteria mutated; granting me a degree in forensic anthropology. v4sw7
Oh for [insert deity]'s sake, please don't tell them that... If they actually start thinking through every possible way someone could do harm on a plane, they'll shut down the airlines "for your safety and convenience"...
At the end of the day, the most dangerous thing is an intelligent mind with the goal of doing harm. There is little-to-no way to protect against that, but it's not a politically acceptable truth, so they just make life difficult for everyone and hope for the best [sigh]. The *only* reason for all this is to protect *themselves* from a "you didn't do anything" accusation after the fact.
If people would just accept that life == risk, we'd be a lot better off.
Simon.
Physicists get Hadrons!
If the end-user can modify the source with reasonable ease:
They can easily bypass any "broadcast flag";
They can remove restrictions on which channels a scanner can scan;
They may be able to transmit on forbidden channels or at
power levels that are above those permitted for a channel.
That is the sort of hacking that frightens the FCC
Andy
There's nothing inherently secure about closed source software or anything inherently secure about open source software. In fact, closed source software that is not secure when the source code is visible is not really secure at all.
That's what code burned into ROM is for -- or hell, EPROM or even EEPROM would be fine, so long as it can't be erased through normal operation of the device.
If the FCC is that concerned about software radio operating out of spec (which I personally believe isn't really going to be a problem), then it should mandate hardware access controls on all radios.
Ultimately, ANY solution that relies on locking down client devices is doomed to failure. People can, and do, tinker with their own devices.
-William Brendel
"Ceteris paribus" -- assuming "allthings being equal", which they never are.
True, if you have two equally boneheaded pieces of software, then exploits in a the closed one are harder to divine -- not by much, but harder. On the other hand, if you have a piece of software that has survived years of public scrutiny by experts, that is presumptively harder to exploit than something some random engineer ginned up in secret.
Something cannot be widely reviewed (which is the gold standard in security) and secret at the same time. So generally, I think open source represents the best by far and the worst by a little of security possibilities.
The ultimate problem is that broad statements like X is more secure than Y are meaningless. You have to specify the context and threat you are concerned with. Is an open source interpreter burned into a ROM inside of microwave oven more vulnerable than a proprietary interpreter? Well, against what? Same goes for the software radio thing.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Whoa, there. There are lots of ways to violate FCC regulations with off the shelf hardware. Whether it happens in hardware or software, it's still illegal. There's no reason that OSS can't comply, they're simply arguing that somebody could re-code it to be non-compliant. Hardly a valid reason for disallowing it.
Is it just my observation, or are there way too many stupid people in the world?
The thing about pretty much all the discussion over 'security through obscurity' is that it compares a 'secure-because-obscure' to a 'secure-without-being-obscure' mechanism. I'm not saying that the use of a secure-through-obscure mechanism is a good thing, and if you read my post, you'll see that.
My point was that if I'm using a hard-encryption mechanism, then I can additionally do things that would render a "cracked" result difficult to determine. If you know what you're looking for (ie: the algorithm is open source), I can't do that. I wasn't trying to say "just use secure-through-obscure' methods, I was saying that they can have some value when also combined with hard encryption.
I also disagreed with FCC (at the end of the post). It was sort of amusing to watch the moderations (up to 5, down to 2, up to 5, down to 3, up to 5). I'm left wondering whether those that moderated me down actually read what I wrote (and thought I was wrong), or just read the title of my post, and gave a knee-jerk response...
Simon
Physicists get Hadrons!
I am not agreeing with the FCC on this one, but I am going to defend "security through obscurity" a little due to expected /. audience oversimplification and knee jerking. At times "security through obscurity" is a perfectly valid and desirable approach when used *alongside* other good techniques. It is only bad when it is the foundation of your security. Note that I am only addressing the security angle and not addressing open source philosophy (or for some out there religion).
"theres no telling what backdoors Al Qaada has running in our country's networks."
4 9 because no one would have access to review the source code.
Sure there is... anyone can look at the source and see back doors, etc. It's more likely that there could be code in a MS project developed by foreigners in Canada http://slashdot.org/article.pl?sid=07/07/05/21342
Yes, if you did something stupid and your source code was available to the world, it could take less labor to discover your stupidity than if your source was closed.
... My OS is better than yours. Oh wait, that's also the same stupid argument. Market-share, value of the information assets, etc., all play a role. Ask me for my opinion and I'll tell you they all suck, regardless of whether they're open or not. Why? Because the fundamental building blocks we're still depending upon are not reliable, e.g. ARP, DNS, DMA (where your USB thumb drive's driver can overwrite kernel code in memory thanks to DMA), etc.
OTOH, having source available for competent reviewers does increase the likelihood that your stupidity will get caught before it goes to market or, hopefully, shortly thereafter.
But that's just it: having the source available to competent reviewers. It has NOTHING to do with whether the source is open to everyone or not.
Open source != Better Security
Closed source != Better Security
This is as stupid as the ID vs Evolution argument. These are NOT mutually exclusive points. There are many open source projects that have sucky security because they don't have competent security analysis done by competent security analysts. Likewise, there are closed source products that have decent security because they invited competent security analysts to review the code. It's not whether your code is open/closed, it's all about who is reviewing your code.
Do you need an example? Try the NSA. They have code whose source is closed to the world, but is reviewed by competent analysts.
Nanny, nanny, boo-boo
--
The unfortunate reality is that it's seldom the best technology that is adopted, just the technology that is in the right place at the right time.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
or at least misleading. It's not saying that the software is more insecure and it's not saying that open source software is insecure, it's saying that a phone with software that can be altered by a third party should be classified differently because of the hardware that it's running on. In other words, because a cell phone messes with radio waves, if the software on the phone is designed so that it can be altered by a third party, it should be treated differently then one in which the manufacturer controls the software. This isn't security through obscurity in that they're hoping for less bugs or security holes in the software, it's security by limiting the software that runs on the phone to just the hardware makers.
I hate to say it, but, some evidence suggests that obfuscation works if there is enough of it. Cryoptography is ultimately about adding cost and time to an enemies retrieval of message to deter them from attempting to read it, or at least render it less valuable by the time they do, and obfuscation can do that.
I mean, to some extent, even Microsoft's non-crypted formats are somewhat secure. No one knows how to produce an authentic Word document to the last detail. I don't see an open source file system driver for Linux that lets you reliably write to NTFS formatted partitions, the SAMBA team has numerous problems trying to read Microsoft file and print sharing stuff. If you view all of these closed source efforts as a way to "encrypt data", in the very least, MS has successfully made a lot of their software tamper resistent by the mere virtue of not publishing the source code.
This is my sig.
Out of curiousity, how do you prove that the source code that was provided matches the binaries that were provided?
And, by the same idea, closed source software with hidden backdoors that anyone can exploit is inherently more secure than open-source software that anyone can view the source of, and said closed source software should be used on all government machines.
Despite the people who looked at the source telling everyone on IRC the secret root password, and giving people a few terabytes of sensitive government information in the form of a distributed torrent.
Your post is so wrong, it's tempting to think you must be joking. But in case you're not:
It is acknowledged by the entire security industry - the FCC notwithstanding - that obscuring the method by which you secure something is not an effective way to increase the security of that thing. As an example: a well-design ATM system doesn't depend on whether the attacker knows what's on the ATM card, how the reader works, how the system is programmed, or anything else about the mechanisms. It depends entirely on whether the attacker knows the PIN associated with the card.
As another example, the most secure form of encryption possible - by which I mean it is literally impossible to break without the key - is the one-time-pad cipher. The mechanism for that is trivially simple: take the message you want to encrypt, and begin generating random integers from 1 through 26, one integer per character in the message. Then go through the message, adding each number in sequence to each character in sequence (A + 3 = D, X + 3 = A, etc.). The resulting encrypted text is perfectly resistant to decryption without the key.
The fact that I just told you how to generate and use a OTP cipher doesn't change the fact that it's perfectly unbreakable. The security is in the key, not the mechanism.
Reality has a conservative bias: it conserves mass, energy, momentum...
I hate to say it, but, some evidence suggests that obfuscation works if there is enough of it.
And it all depends on what is meant by "security".
The FCC could care less about how hard it is to recover the message or break the box. What they're concerned about is how hard it is to modify the box to operate outside their regulations.
It's a lot easier to modify the function of a peripheral if you have information about it - including commented source for the controlling driver - than if you don't. Don't believe it? Look how long it took - and still takes - to write blob-free fully-functional Linux drivers for winmodems, graphic accellerators, WiFi chipsets, etc. Listen to the cries for documentation from the driver and kernel development projects.
The FCC says "Thou shalt not publish the source code to the parts that control the radio." Since FOSS licenses REQUIRE the vendors to publish the source code, FOSS is thus effectively forbidden, since it would not be possible to abide by the software license and the FCC license simultaneously.
As for vetting the code, the FCC reserves the right to demand the source of ANY software - proprietary or not - used in a type-approved software-defined radio. They say they probably will rarely want to look, and will probably honor the company's request for confidentiality unless they have some reason not to, but they do demand it be forked over whenever they ask. So arguments that they can't vet it because it's closed are moot.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I have been seeing it for quite a while now. NTFS-3G, which works within the FUSE userspace file system framework, has an excellent reputation for reliability.
OK, We're supposed to ask the National Guard (our well trained militia, as it were) to arrest various and sundry government employees? Neat idea, I'll just drive down the local Armory and ask them.
Faster! Faster! Faster would be better!