Feds snub open source for 'smart' radios

[David Farber <dave () farber net>]

Begin forwarded message:

From: Kurt Albershardt <kurt () nv net>
Date: July 23, 2007 3:37:00 PM EDT
To: dave () farber net
Subject: Feds snub open source for 'smart' radios

By Anne Broache
<http://news.com.com/Feds+snub+open+source+for+smart+radios/ 
2100-1041_3-6195102.html>

Story last modified Fri Jul 06 08:10:42 PDT 2007

...a new federal rule set to take effect Friday could mean that  
radios built on "open-source elements" may encounter a more sluggish  
path to market--or, in the worst case scenario, be shut out  
altogether. U.S. regulators, it seems, believe the inherently public  
nature of open-source code makes it more vulnerable to hackers,  
leaving "a high burden to demonstrate that it is sufficiently secure."

If the decision stands, it may take longer for consumers to get their  
hands on these all-in-one devices. The nascent industry is reluctant  
to rush to market with products whose security hasn't been thoroughly  
vetted, and it fears the Federal Communications Commission's  
preference for keeping code secret could allow flaws to go unexposed,  
potentially killing confidence in their products.

By effectively siding with what is known in cryptography circles as  
"security through obscurity," the controversial idea that keeping  
security methods secret makes them more impenetrable, the FCC has  
drawn an outcry from the software radio set and raised eyebrows among  
some security experts.

"There is no reason why regulators should discourage open-source  
approaches that may in the end be more secure, cheaper, more  
interoperable, easier to standardize, and easier to certify," Bernard  
Eydt, chairman of the security committee for a global industry  
association called the SDR (software-defined radio) Forum, said in an  
e-mail interview this week.

The Forum, which represents research institutions and companies such  
as Motorola, AT&T Labs, Northrup Grumman and Virginia Tech, urged the  
FCC to back away from that stance in a formal petition <http:// 
www.sdrforum.org/uploads/pub_439156SDRF-07-A-0012- 
V0_0_0_Response_to_MOO.pdf> this week.

Those concerns were endorsed by the Software Freedom Law Center,  
which provides legal services to the free and open-source software  
community, staff attorney Matt Norwood said in an interview this week.

Still, in a white paper released Friday <http:// 
www.softwarefreedom.org/resources/2007/fcc-sdr-whitepaper.html>, the  
group says there's also good news for its developers in the FCC's  
rule: because it focuses narrowly on security-related software, it  
appears that programmers would not be restricted from collaboration  
with hardware makers on the many other kinds of open-source wireless  
applications. (Many 802.11 wireless routers that are under the FCC's  
control already rely on open-source systems for network management.)

...

"Obscurity works best when the hackers can't test their attacks,"  
said Peter Swire, an Ohio State University law professor who has  
written about the tensions between closed and open approaches to  
computer security. "For software like this, used in distributed  
devices, there should be no extra burden on open source."

There's also no clear evidence that the number of vulnerabilities in  
open-source software differs dramatically from that of proprietary  
software, said Alan Paller, director of research for the SANS  
Institute, which provides computer security training. (Some earlier  
studies have found that the generally more intensive scrutiny of open- 
source code can help keep its quality higher and vulnerabilities lower.)

"They should be defining it as software with reliable maintenance or  
software without reliable maintenance--that's the fundamental  
security issue," Paller said in a telephone interview. "If I don't  
have somebody I can call when I find out there's a vulnerability in  
my software, I'm dead."

...







-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com