Comments on: Feds snub open source for 'smart' radios

New FCC rules say open-source code for next-gen mobile tech has "high burden" to show it's secure. Some industry and security experts beg to differ.

[BrandonEubanks]

Not Bad

Not a bad article for c-net. This one actually has some
journalistic value.

As much as I like the idea of open source software in general, I
can see the FCC's point. You can not have companies and
individuals distributing devices that can be easily altered to
interfere with the public service or military bands. Think what
would happen if some kid changed his device to broadcast on
the police or EMS band and sent them to the wrong location.
This is one situation where the security scheme should be kept
within the industry or even the company. In their ruling, as
reported by c-net, the FCC recognizes that no device is
unhackable however, they are basically saying that if you are
going to do this you should make it as difficult as humanly
possible. Part of that idea is to not tell the world how you are
securing the device. Yea, it is a mass distributed device and
somebody can get in their and play with the firmware and rig it
to do anything in the realm of reason (and probably a few not so
much in it) but, if you don't tell them how they did it then you
have just made their job harder.

It was noted and I would put an emphasis on it here that the
FCC did not put limits on the development of the technology
itself. They probably don't really care how you pick up signals.
And they don't limit how you pick up open air signals anyway
given they are down link signals only (nearly all open air systems
are). To be clear, I am defining an open air system as an open,
free broadcast that requires no specialized equipment beyond
what is normally available on the open market and no
subscription or encryption key. And besides military bands,
people have been able to pickup police and other public service
bands for years without issue. So I don't think that now they are
going to suddenly reverse thirty years of precedent because the
idea is being adapted to new technology.

However, this system can also be used to pick up closed
broadcasts (anything not in the definition above). This is where
the need for tighter security comes in. Nobody should be able
to easily hack in a device and illegitimately pick up a proprietary
or secured broadcast. This is the crux of the FCC's argument.
And they are basically saying that in their view, the best way to
secure anything is to not tell everyone how you are doing it.
This does not prohibit those working on the device from
discussing how to secure it, it just limits it to intra-industry
dialogue. That is how most things are done anyway.

And on top of this they even say you can use open source code
for security but, since everybody knows about it you are going
to have to work harder to secure it and then prove that. This is
not at all an unreasonable statement.

[add1kt]

I concur, well spoken and well put. This articles is perhaps the least biased open source vs closed source I have seen to date.

[jrgarrison]

Software Freedom Law Center paper

The Software Freedom Law Center white paper is posted at http://www.softwarefreedom.org/resources/2007/fcc-sdr-whitepaper.html

[Zoe Slocum]

Thank you.

We've added a link to the white paper.

[cohaver]

FCC the stupid people in the Room

After 4 year in Army and 20 years in Telecommunication in Field never seem so many stupid people that keep telling you how unsafe open source code is after after time and time again
they been proved wrong
Most of the code they use on their network was based on secure code made by companies with a history of high level breaches . But we are to understand. When Technology is based on Lawyers and not engineers we all lose in America.

[wbenton]

FCC seems to walk backward into history...

They still must learn that open source is the best way to ensure it has industrial strength security. (* LOL *)

Everybody (with exception of the FCC of course) knows this.

If the code is made open source, everybody will look for ways to crack into it... they will look for vulnerabilities not otherwise locatable without the source code.

The best way to get a security scan is to hand your source over to hackers... (* GRIN *) If there's a flaw or weakness in the code... THEY WILL FIND IT.

But if you hand the source code over to say Microsoft or any other 3rd party security screener... they may or may not find ALL of the flaws and you've got to pay for those scans as well. (* CHUCKLE *)

I think what the problem the feds are facing is that with open source, the bad guys get their hands on good code and modify it such that the feds cannot tap into it any more and "THAT" is why they're snubbing it. (* LOL *)

FWIW

[jabbotts]

Obscurity is not security

The Feds are following the oldest myth in security. Obscurity has nothing to do with security. If the FCC wants to disallow smart radios then let them give real reasons for doing so. Telling us it is because Open Source a complete lie based on a myth.

Open Source has bugs like any other software development model but they are found and fixed much faster. There's a reason why no one in there right mind would take a laptop running Windows to Defcon or any of the other computer security trade shows.

http://articles.techrepublic.com.com/5100-10877-6064734.html

[ralfthedog]

One exception

Security through obscurity is quite effective when it comes to passwords and private keys. :)