Slashdot Mirror
FCC Rules Open Source Code Is Less Secure
An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"
Just goes to show how much a bunch of gov't bureaucrats know. Or maybe there just being ass-kissy with business again.
Because Security Through Obscurity totally worked for:
MPAA (DeCSS)
Nazis (Enigma)
Xerox (Robin Hood & Friar Tuck)
Microsoft (just about any form of security they've ever had)
and about a billion other examples
Karma: Non-Heinous
If I'm trying to break into some code, and I can read the source code to determine how the author protected it, I'll have an easier job (note: "easier", not "easy") because I can home in on the algorithm the author used. I know whether it's Blowfish, DES, AES, IDEA, or a simple XOR or substitution cipher. I know what pre-encrpytion steps were taken, and what post-encryption algorithms were used.
Let's say that in a moment of insanity, I decided to use a basic XOR encryption routine (create each byte in the encrypted stream by XOR-ing the corresponding source byte with every byte in the password save one, rotating that one as I iterate over the source). This is completely and utterly trivial to crack if you have the source code and *know* the routine I used. It's a repetitive cypher, so it's reasonably obvious unless the password is of significant (a sizeable fraction of the source's length) as well. Note the difference - it's easier with the source code.
Now that's a contrived example - no-one in their right minds would use an XOR cypher, but the same principle applies to harder encryption techniques. If you *know* what system was used to protect the source, you have an advantage over not knowing... Did they gzip the source before encrypting it ? Did they use ZIP, RAR, or 'compress' instead ? Did they XOR to hide the obvious compression header ? Is it inverted (last byte first) or was any other transformation done *before* the encryption stage to try and make it non-obvious that a successful crack had taken place ? These are all "knowns" if you have the source code...
So, yes, it is easier when you have the source code. Security through obscurity is rightly derided, but not because it has no value. It is derided because it leads to the use of insecure encryption methods (small keys, using XOR/whatever instead of proper hard encyption, etc) and the fact that once the obscurity is cleared up, there's no more security. The idea is that if you are sufficiently confident that your encryption is unbreakable, you *can* document how you did it in public. That doesn't mean you *should*.
The point though, and why I disagree with the regulators, is that if you're using hard encryption, it really doesn't matter whether it's *easier*, it's not *easy*. It is in fact still so damn hard, that we're talking "impossible in our lifetime(*)" - the relative comparison makes no sense. It's akin to measuring the height of Mount Everest at 6-month intervals - it's always pretty darn high, though you might find some variance due to snowfall.
So, yes, they're right. But by not considering the (tiny) impact of their conclusion, they have made the wrong ruling.
(*) Modulo the discovery of an easy way to crack the encryption technology, of course.
Simon.
Physicists get Hadrons!
And we keep voting the same crew into office who keep appointing the same bozos to the FCC... shame on us.
OCO is Loco
... since its very inception back in 1934 (and its predecessor the "Federal Radio Commission from 1927 until 1934) has always been under the corrupted financial influence of the big broadcasters, despite the faux-adversarial image they try to paint on their relationships.
Over at the Software Freedom Law Center, we've published a white paper regarding the new rules. That might be of interest to some.
How can you prove something is secure if you can't see the source code?
You can't.
The FCC's position is that it is better to hide one's head in the sand and hope the vendor implemented a secure solution than to actually *prove* the solution is secure.
The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate.
The problem is that, as any ham operator knows, access to any part of the spectrum is as simple as building your own homebrew equipment. Hackers, by their very nature, already know how to access the radio spectrum; it is the weak, or non-existent encryption which represents the real threat. Keeping your code closed allows security vulnerabilities to exist for much longer than they would if they could be scrutinized by the public at large.
Furthermore, any software defined radio, open source or not, can be made "open source" by simply replacing the binary in flash. Which means that any software defined radio, open source or not, can be hacked. Which might be a bigger issue worth more discussion.
The society for a thought-free internet welcomes you.
I am somewhat perplexed as to why the FCC would need to be regulating the security of consumer devices. For organization that need secure communications, there are already many government and private certifications, that insure this. But why on earth would they restrict consumers from purchasing non-secure software radios if they don't need them?
Is this because they feel that software radios could be hacked to broadcast outside of their certified frequency and power limits? Or because they think they need to protect the public from buying 802.11 routers with crappy WAP implementations?
These are the same FCC bozos who are promoting Broadband Over Power Line or BPL, despite all the independent technical experts who confirm that the systems are just giant antennas radiating hash, noise, etc and interfering with Public Service Radio. Along those lines, the American Radio Relay League (ARRL) is suing the FCC over its certification methods for such systems. see www.arrl.org for the details
The security bit is just a cover story. This is about some perceived danger to the RIAA, MPIAA and similar cartels.
The problem the FCC (and every other emission regulation body) has with open source and software radio is that it will be trivial to modify a device using these methods to emit at an arbitrarily high power level over a restricted wavelength, or using a band without using the proper medium access control. If this happened, the wavelength would be pretty much unusable for all other users until the FCC tracks down the emitter, and shuts him down.
That's why today, most radio-enabled devices, and especially mobile phones, have to pass type conformance to be commercialized in a geographic area. In the current state of things, if the radio software can be changed by the user, the type conformance cannot be awarded. Software radio makes things worse, because it is harder to justify that a component cannot emit at a given frequency, if changing the software in this component would allow switching emission frequencies at will.
The FCC has absolutely no power to regulate nor any say at all in how software radio or television are implemented.
n s/200505/04-1037b.pdf
The FCC commisioners are deluding themselves, again, if they think Congress gave them the power to appoint monopolies.
They have already been slapped down once with regards to the DTV Redistribution Control flag and they're about to be slapped down again.
What's next, washing machines and clock radios?
http://pacer.cadc.uscourts.gov/docs/common/opinio
If the Foolish Child Commission can't remember the limits of their power, We the People will be more than happy to remind them, spank them and send them to their 'time-out' corner once again.
Well, if they [FCC] are going to take this stance, it is our duty to enlighten them as to the consequences of their actions.
I would like to see a Month of Closed-Source Software Raido Hacks
Then they [FCC] will discover that since the closed source software radios are not examined by independent unbiased debuggers, the possibility of bugs, bad encryption schemes, et al is a very high possibility.
Maybe then the government bureaucrats will see the merits of Open Source.
My backup chemistry thesis stored on Data Storing Bacteria mutated; granting me a degree in forensic anthropology. v4sw7
Oh for [insert deity]'s sake, please don't tell them that... If they actually start thinking through every possible way someone could do harm on a plane, they'll shut down the airlines "for your safety and convenience"...
At the end of the day, the most dangerous thing is an intelligent mind with the goal of doing harm. There is little-to-no way to protect against that, but it's not a politically acceptable truth, so they just make life difficult for everyone and hope for the best [sigh]. The *only* reason for all this is to protect *themselves* from a "you didn't do anything" accusation after the fact.
If people would just accept that life == risk, we'd be a lot better off.
Simon.
Physicists get Hadrons!
...at least not security as it's usually defined. It's about prevention of modification by the end user or a third party not authorized by the manufacturer.
While the rules require these "security" measures to prevent modification to software designed radios, as far as I can tell (based on several 802.11 devices I've messed with) the only actual "security" measures which have been taken have been to not publish the source. There's not really anything preventing modification of the firmware to operate outside the ISM band or at unpermitted power levels. So I'm not sure exactly what measures the FCC is really requiring, other than that manufacturers don't publish their datasheets.
If the end-user can modify the source with reasonable ease:
They can easily bypass any "broadcast flag";
They can remove restrictions on which channels a scanner can scan;
They may be able to transmit on forbidden channels or at
power levels that are above those permitted for a channel.
That is the sort of hacking that frightens the FCC
Andy
Lookup Kerckhoffs' principle. Security through obscurity is a widely debated subject going all back to the 19 century, when it concerns to cryptography, and sooner than that, in the locksmith circles, and it is more or less a consensus that it is not only ineffective but terribly dangerous, because "every secret create a potential failure point".
Read the wikipedia article, it is enlightening and very insightful.
There's nothing inherently secure about closed source software or anything inherently secure about open source software. In fact, closed source software that is not secure when the source code is visible is not really secure at all.
It's just that the boys at the FCC are go getters! Who cares if they aren't software security people, it's the FCC! They see a problem and are totally pro-active to take it on. Morality cops on TV and radio? That definitely falls within assigning and licensing portions of the EM spectrum for private industry. They're just going above and beyond.
All hail the FCC!
(can I puke now?)
More Twoson than Cupertino
I'm sure he appointed people to the FCC who are every bit as competent as:
Brown
Chertoff
Wolfowitz
Rumsfeld
Harriot Myers
Alberto Gonzales
Scotter Libby
...it's a very long list. Should I keep going or did I make my point?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
-William Brendel
"Ceteris paribus" -- assuming "allthings being equal", which they never are.
True, if you have two equally boneheaded pieces of software, then exploits in a the closed one are harder to divine -- not by much, but harder. On the other hand, if you have a piece of software that has survived years of public scrutiny by experts, that is presumptively harder to exploit than something some random engineer ginned up in secret.
Something cannot be widely reviewed (which is the gold standard in security) and secret at the same time. So generally, I think open source represents the best by far and the worst by a little of security possibilities.
The ultimate problem is that broad statements like X is more secure than Y are meaningless. You have to specify the context and threat you are concerned with. Is an open source interpreter burned into a ROM inside of microwave oven more vulnerable than a proprietary interpreter? Well, against what? Same goes for the software radio thing.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Whoa, there. There are lots of ways to violate FCC regulations with off the shelf hardware. Whether it happens in hardware or software, it's still illegal. There's no reason that OSS can't comply, they're simply arguing that somebody could re-code it to be non-compliant. Hardly a valid reason for disallowing it.
Is it just my observation, or are there way too many stupid people in the world?
Standard Neo-con practice, appoint like-minded, highly loyal individuals into key points of power to make decisions that benefit big companies and personal investments in ways that congress can not easily effect.
Kevin J. Martin is the current head of the FCC, appointed by Bush in 2005. Prior to that, he was general council for Bush's first election campaign, then he took over the 'technical transition' when Bush/Chenny were moving into the white house. After they got settled he picked up a nice position as a white house assistant. The guy is nothing more than yet another Neo-con chronie who shows his loyalty to big business and the party line over the interests of the people and gets promoted for it.
On the bright side though, he is at least somewhat qualified for the job. He has a real degree from a real school, he worked at the FCC prior to being appointed to Chairman, and has focused much of his career in the tech/telecomm industries.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I am not agreeing with the FCC on this one, but I am going to defend "security through obscurity" a little due to expected /. audience oversimplification and knee jerking. At times "security through obscurity" is a perfectly valid and desirable approach when used *alongside* other good techniques. It is only bad when it is the foundation of your security. Note that I am only addressing the security angle and not addressing open source philosophy (or for some out there religion).
...like Bruce Schneier:
"If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms. A variety of secret digital cellular telephone algorithms have been "outed" and promptly broken, illustrating the futility of that argument."from Crypto-Gram: September 15, 1999
But what could we expect from an FCC headed by a lawyer, a businessman, a professional Senate staffer, a DRM-supporter who received coaching from Clear Channel to oppose a satellite radio merger, and a professional telecom corporate lobbyist.
i am the opposite of tom_good, i am the XOR of ]=9fÆ"ÝÕ and ÖÆ\KF, i am 746F6D5F6576696C00.
This doesn't quite meet the criteria for Godwin's law, as he was not calling anyone a Nazi (well, other than the actual Nazis, but that's just statement of fact), nor was he using them as an example because of their being Nazis, he was simply citing a well known instance where security through obscurity failed a group that believed their crypto to be perfect because nobody else knew how it worked.
Try not to take me more seriously than I take myself.
"theres no telling what backdoors Al Qaada has running in our country's networks."
4 9 because no one would have access to review the source code.
Sure there is... anyone can look at the source and see back doors, etc. It's more likely that there could be code in a MS project developed by foreigners in Canada http://slashdot.org/article.pl?sid=07/07/05/21342
Enigma was publicly documented to a degree. It was based upon commercial devices from the 1920s, this greatly facilitated those who attacked it. The extensions / revisions made to the basic design were kept secret, however the weaknesses that led to its defeat were not these extensions or revisions but operator error. For example operators would send the same test message each morning, a violation of their training and procedures, and this greatly aided in the discovery of the day's configuration of the machine.
7 70229.
This example aside, your suggestion that "security through obscurity" is bad is wrong. See http://slashdot.org/comments.pl?sid=246437&cid=19
Yes, if you did something stupid and your source code was available to the world, it could take less labor to discover your stupidity than if your source was closed.
... My OS is better than yours. Oh wait, that's also the same stupid argument. Market-share, value of the information assets, etc., all play a role. Ask me for my opinion and I'll tell you they all suck, regardless of whether they're open or not. Why? Because the fundamental building blocks we're still depending upon are not reliable, e.g. ARP, DNS, DMA (where your USB thumb drive's driver can overwrite kernel code in memory thanks to DMA), etc.
OTOH, having source available for competent reviewers does increase the likelihood that your stupidity will get caught before it goes to market or, hopefully, shortly thereafter.
But that's just it: having the source available to competent reviewers. It has NOTHING to do with whether the source is open to everyone or not.
Open source != Better Security
Closed source != Better Security
This is as stupid as the ID vs Evolution argument. These are NOT mutually exclusive points. There are many open source projects that have sucky security because they don't have competent security analysis done by competent security analysts. Likewise, there are closed source products that have decent security because they invited competent security analysts to review the code. It's not whether your code is open/closed, it's all about who is reviewing your code.
Do you need an example? Try the NSA. They have code whose source is closed to the world, but is reviewed by competent analysts.
Nanny, nanny, boo-boo
--
The unfortunate reality is that it's seldom the best technology that is adopted, just the technology that is in the right place at the right time.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
We've decrypted your text, and the FCC would like to inform you that we do not approve that sort of vulgarity! -the FCC
Ben Hocking
Need a professional organizer?
or at least misleading. It's not saying that the software is more insecure and it's not saying that open source software is insecure, it's saying that a phone with software that can be altered by a third party should be classified differently because of the hardware that it's running on. In other words, because a cell phone messes with radio waves, if the software on the phone is designed so that it can be altered by a third party, it should be treated differently then one in which the manufacturer controls the software. This isn't security through obscurity in that they're hoping for less bugs or security holes in the software, it's security by limiting the software that runs on the phone to just the hardware makers.
I hate to say it, but, some evidence suggests that obfuscation works if there is enough of it. Cryoptography is ultimately about adding cost and time to an enemies retrieval of message to deter them from attempting to read it, or at least render it less valuable by the time they do, and obfuscation can do that.
I mean, to some extent, even Microsoft's non-crypted formats are somewhat secure. No one knows how to produce an authentic Word document to the last detail. I don't see an open source file system driver for Linux that lets you reliably write to NTFS formatted partitions, the SAMBA team has numerous problems trying to read Microsoft file and print sharing stuff. If you view all of these closed source efforts as a way to "encrypt data", in the very least, MS has successfully made a lot of their software tamper resistent by the mere virtue of not publishing the source code.
This is my sig.
Out of curiousity, how do you prove that the source code that was provided matches the binaries that were provided?
Interesting that they apparently didn't consult folks at NSA. Their operating hypotheses for any US cryptosystem are:
1. The equipment is known and available for disassembly and testing
2. The algorithm is known or discernable from the equipment and related manuals
3. You have lots of output data from the device (the underlying plain text is properly)
4. You don't have the key...that's what you need
While I will grant that most folks never see any of this (most equipment, algorithm details, and key parts of repair/use manuals are classified), they assume the worst case and still make it secure. In other words, like having open source code and figuring out the key from that and clean output.
While "Security through Restricted Access" is a very good practice, the argument is STUPID at best, and downright biased towards closed, proprietary software vendors. Frankly, these people couldn't encrypt their way out of a wet paper bag with a pen, ruler, and other sharp things like their pointy little heads.
If they think it is "less secure" we can lock them up somewhere with whatever they want to crack an open source cryptosystem used as the jail lock and see how soon they get out. I hope they include a lifetime supply of food, water, toiletries, medicines, etc. I think a simple 1024 bit Elliptical Curve Cryptographic system will keep them safely behind bars for several decades, if not their lives.
Where do they find these bozos to fill these positions? I'd like to know so we can close that source of universal stupidity off and make the world a better place...
I guess these folks will never qualify for one of my D.O. letter...they're either just too stupid or have such low IQs that they need to be institutionalized immediately.
Supreme Granter of Doctor of Obviology Letters ("A FIRM Command of the Obvious")
Government is customer managed and you get what the majority deserves :-(
To the person with only a hammer, everything looks like a nail...
Not all government is bad and wasteful; it can and does out perform the private sector more times than Americans are sold to believe.
This may be hard to grasp, but its partially YOUR fault if you can't manage your government employees. (FYI, one of your management tools was the purpose of the 2nd amendment!)
As Ben Franklin essentially said, any government well administered is good government and all eventually fall (as a result of despotism; society is not a spectator regardless of what they may think.)
Democracy Now! - uncensored, anti-establishment news
"You can always turn the television off and, of course, block the channels you don't want.... But why should you have to?"
Kevin J. Martin
FCC Chairman
Your post is so wrong, it's tempting to think you must be joking. But in case you're not:
It is acknowledged by the entire security industry - the FCC notwithstanding - that obscuring the method by which you secure something is not an effective way to increase the security of that thing. As an example: a well-design ATM system doesn't depend on whether the attacker knows what's on the ATM card, how the reader works, how the system is programmed, or anything else about the mechanisms. It depends entirely on whether the attacker knows the PIN associated with the card.
As another example, the most secure form of encryption possible - by which I mean it is literally impossible to break without the key - is the one-time-pad cipher. The mechanism for that is trivially simple: take the message you want to encrypt, and begin generating random integers from 1 through 26, one integer per character in the message. Then go through the message, adding each number in sequence to each character in sequence (A + 3 = D, X + 3 = A, etc.). The resulting encrypted text is perfectly resistant to decryption without the key.
The fact that I just told you how to generate and use a OTP cipher doesn't change the fact that it's perfectly unbreakable. The security is in the key, not the mechanism.
Reality has a conservative bias: it conserves mass, energy, momentum...
The issue is that this ruling benefits Cisco that wants to defeat the likes of Linksys, Netgear and others that are beginning to deliver "decent" solutions with cheap radios and the help of hobbyists leveraging open source software. If you require that some of the SW is closed, you cannot leverage the benefits of the open source module on that bit you have closed. You also have to end up spending more time organizationally to support the effort, because you have to maintain two sets of documents -- one for the closed section, and another for the open section. You have to support binary compatibility, or some mechanism for the open source to integrate with the closed source firmware... it just becomes that much more of a burden for Cisco's competitors to develop and maintain their solutions.
So, please, don't flood the FCC with emails telling them that "Open source /is/ secure" -- from the standpoint of regulation, it's not! Flood them instead with messages that say, "This ruling is entirely prejudicial against many companies leveraging Open Source software for their solutions."
I hate to say it, but, some evidence suggests that obfuscation works if there is enough of it.
And it all depends on what is meant by "security".
The FCC could care less about how hard it is to recover the message or break the box. What they're concerned about is how hard it is to modify the box to operate outside their regulations.
It's a lot easier to modify the function of a peripheral if you have information about it - including commented source for the controlling driver - than if you don't. Don't believe it? Look how long it took - and still takes - to write blob-free fully-functional Linux drivers for winmodems, graphic accellerators, WiFi chipsets, etc. Listen to the cries for documentation from the driver and kernel development projects.
The FCC says "Thou shalt not publish the source code to the parts that control the radio." Since FOSS licenses REQUIRE the vendors to publish the source code, FOSS is thus effectively forbidden, since it would not be possible to abide by the software license and the FCC license simultaneously.
As for vetting the code, the FCC reserves the right to demand the source of ANY software - proprietary or not - used in a type-approved software-defined radio. They say they probably will rarely want to look, and will probably honor the company's request for confidentiality unless they have some reason not to, but they do demand it be forked over whenever they ask. So arguments that they can't vet it because it's closed are moot.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I have been seeing it for quite a while now. NTFS-3G, which works within the FUSE userspace file system framework, has an excellent reputation for reliability.
The "why should you have to?" is in reference to paying for channels that you have blocked or don't watch. I have to agree with him on that.
Support Right To Repair Legislation.
A few years ago the FCC was overhauled in an effort to speed the processes of approval and allocation. At that time the most common complaint was that it took years to obtain approval for new technology. The truth is, that the old FCC did seem to drag their feet and yes, it was rather difficult to get approval for new technology and to get a piece of the radio spectrum reallocated you may as well forget about it. People and industry did have a lot to complain about. When the FCC did make a decision, it was (almost) always the right one, it had been well researched and lobbiests and lawyers had little influence, even the politicians really had very little say.
When the system was overhauled, it was done with the best of intentions. They allowed industry access in ways that they never had before and the FCC had to start to rely on information presented by the very industry that they were intended to police! Today, we could almost describe the industry relationship with the FCC as symbiotic.
The FCC has as it's primary charge the responsibility of making the public airwaves work for the public. They protect these airwaves by allocating frequencies, by approving new uses, and by certifying equipment that may use or interfere with the public airwaves.
With technology changing so fast, and the airwaves being so crowded, and all sorts of new ideas (good and bad), the FCC has lots to do. Congress told them to work faster and be more responsive to industry. Industry does not want OSS, they view it as competition. They would rather develop copyrighted and even patented software to do this stuff so that they can earn a healthy return on investment. The FCC is simply echoing this as they have been instructed by congress to do (they see it as working with industry).
OSS is sort of socialist when you think about it from the closed source standpoint. It is a threat simply because it is free. You would think public airwaves would be a place where free software would be at home -- and it should be but it isn't. Becuase the FCC is no longer really allowed to make the best decisions for the public. They must now answer to the very people they are supposed to police. That is simply wrong; they should answer to the public and the requirements of international treaties.