Feds snub open source for 'smart' radios

(continued from previous page)

The new FCC rule, prompted in part by a petition last June from Cisco Systems, builds on software-defined radio ground rules established in 2001 and 2005.

The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate.

In response, the FCC decreed that open-source security software, too, cannot be made public if doing so would raise the risk that the FCC's rules could be sidestepped. Then the commission added: "a system that is wholly dependent on open-source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software-defined radio."

In its filing this week, the SDR Forum asked the FCC to allow radio makers to discuss their code in public, as long as they weren't intending to encourage rule-breaking. The group also urged a neutral stance on the security of open-source software, arguing that "academic inquiry and industry discussion coupled with a market test," not regulators, should decide.

The Cisco representative who petitioned the agency for the rule changes was not available for an interview with CNET News.com this week. Robert Pepper, the company's senior technology policy director, said he believed Cisco was comfortable with the new rule. An FCC spokesman said the commission had received and would review the SDR Forum's filing, but it was unclear when it would respond.

The FCC's latest move isn't the first time the open-source side of software radio has faced potential limits.

A few years ago, the agency issued rules that would have made it illegal to manufacture TV tuners and PCs that did not support the controversial "broadcast flag," an anticopying regime backed by the entertainment industry.

A federal appeals court threw out the rules. But if left in place or revived by Congress, they would threaten the ability of consumers to build their own unrestricted radio signal receivers, using the likes of a free software radio toolkit known as GNU Radio.

An attorney for the Software Freedom Law Center, which provides legal services to free and open-source software developers, said the regulators could have done far worse in their latest rule: the FCC acknowledged that the open-source platform may have "advantages," such as lower costs and development time, and it didn't outright ban open-source applications.

"I was gratified at least to see they've moved away from...all the rhetoric a few years ago about how the GPL is a virus and free software is un-American," said Software Freedom Law Center's Norwood.

The lingering concern from the manufacturers' side is that as long as the FCC discourages open discussions of security tactics, consumers will encounter delays or fewer choices in the new gadgets--or products laced with bugs that could have been caught with more collaboration.

The SDR Forum has cited the Secure Socket Layer (SSL), a widely used technique for securing e-commerce transactions, and the National Institute of Standards and Technology (NIST)'s public hash algorithms as evidence that open processes often yield the most highly successful security techniques.

Without similar freedoms for software radio makers, "there may be some people that will shy away or may delay some (software radio) pieces that go out there because they have this extra burden they have to go through," said Bruce Oberlies, chairman of the SDR Forum's regulatory committee.

[BrandonEubanks]

Not Bad

Not a bad article for c-net. This one actually has some
journalistic value.

As much as I like the idea of open source software in general, I
can see the FCC's point. You can not have companies and
individuals distributing devices that can be easily altered to
interfere with the public service or military bands. Think what
would happen if some kid changed his device to broadcast on
the police or EMS band and sent them to the wrong location.
This is one situation where the security scheme should be kept
within the industry or even the company. In their ruling, as
reported by c-net, the FCC recognizes that no device is
unhackable however, they are basically saying that if you are
going to do this you should make it as difficult as humanly
possible. Part of that idea is to not tell the world how you are
securing the device. Yea, it is a mass distributed device and
somebody can get in their and play with the firmware and rig it
to do anything in the realm of reason (and probably a few not so
much in it) but, if you don't tell them how they did it then you
have just made their job harder.

It was noted and I would put an emphasis on it here that the
FCC did not put limits on the development of the technology
itself. They probably don't really care how you pick up signals.
And they don't limit how you pick up open air signals anyway
given they are down link signals only (nearly all open air systems
are). To be clear, I am defining an open air system as an open,
free broadcast that requires no specialized equipment beyond
what is normally available on the open market and no
subscription or encryption key. And besides military bands,
people have been able to pickup police and other public service
bands for years without issue. So I don't think that now they are
going to suddenly reverse thirty years of precedent because the
idea is being adapted to new technology.

However, this system can also be used to pick up closed
broadcasts (anything not in the definition above). This is where
the need for tighter security comes in. Nobody should be able
to easily hack in a device and illegitimately pick up a proprietary
or secured broadcast. This is the crux of the FCC's argument.
And they are basically saying that in their view, the best way to
secure anything is to not tell everyone how you are doing it.
This does not prohibit those working on the device from
discussing how to secure it, it just limits it to intra-industry
dialogue. That is how most things are done anyway.

And on top of this they even say you can use open source code
for security but, since everybody knows about it you are going
to have to work harder to secure it and then prove that. This is
not at all an unreasonable statement.

[add1kt]

I concur, well spoken and well put. This articles is perhaps the least biased open source vs closed source I have seen to date.

[jrgarrison]

Software Freedom Law Center paper

The Software Freedom Law Center white paper is posted at http://www.softwarefreedom.org/resources/2007/fcc-sdr-whitepaper.html

[Zoe Slocum]

Thank you.

We've added a link to the white paper.

[cohaver]

FCC the stupid people in the Room

After 4 year in Army and 20 years in Telecommunication in Field never seem so many stupid people that keep telling you how unsafe open source code is after after time and time again
they been proved wrong
Most of the code they use on their network was based on secure code made by companies with a history of high level breaches . But we are to understand. When Technology is based on Lawyers and not engineers we all lose in America.

[wbenton]

FCC seems to walk backward into history...

They still must learn that open source is the best way to ensure it has industrial strength security. (* LOL *)

Everybody (with exception of the FCC of course) knows this.

If the code is made open source, everybody will look for ways to crack into it... they will look for vulnerabilities not otherwise locatable without the source code.

The best way to get a security scan is to hand your source over to hackers... (* GRIN *) If there's a flaw or weakness in the code... THEY WILL FIND IT.

But if you hand the source code over to say Microsoft or any other 3rd party security screener... they may or may not find ALL of the flaws and you've got to pay for those scans as well. (* CHUCKLE *)

I think what the problem the feds are facing is that with open source, the bad guys get their hands on good code and modify it such that the feds cannot tap into it any more and "THAT" is why they're snubbing it. (* LOL *)

FWIW

[jabbotts]

Obscurity is not security

The Feds are following the oldest myth in security. Obscurity has nothing to do with security. If the FCC wants to disallow smart radios then let them give real reasons for doing so. Telling us it is because Open Source a complete lie based on a myth.

Open Source has bugs like any other software development model but they are found and fixed much faster. There's a reason why no one in there right mind would take a laptop running Windows to Defcon or any of the other computer security trade shows.

http://articles.techrepublic.com.com/5100-10877-6064734.html

[ralfthedog]

One exception

Security through obscurity is quite effective when it comes to passwords and private keys. :)