Re: Feds snub open source for 'smart' radios

[David Farber <dave () farber net>]

Begin forwarded message:

From: John Shoch <shoch () alloyventures com>
Date: July 24, 2007 11:17:38 AM EDT
To: dave () farber net, ip () v2 listbox com
Cc: John Shoch <shoch () alloyventures com>
Subject: RE: [IP] Feds snub open source for 'smart' radios

I fear that many people may misunderstand this somewhat overstated  
article.

An assertion like, "If the decision stands, it may take longer for  
consumers to get their
hands on these all-in-one devices" makes it seem like consumers will  
have no chance to get some new-fangled mobile device.

As I read the FCC action, it is much more narrow.  Their concern  
appears to be that people will be able to manipulate the software in  
a software-defined-radio to make the radio behave beyond its  
specified operating characteristics (e.g., blast too much power).

Three excerpts from the Final Rule, at http://a257.g.akamaitech.net/ 
7/257/2422/01jan20071800/edocket.access.gpo.gov/2007/07-2684.htm:

"In the Cognitive Radio Report and Order, the Commission modified
the rules to require that radios in which the software is designed or
expected to be modified by a party other than the manufacturer be
certified as software defined radios. To minimize the filing burden on
manufacturers, this requirement was narrowly tailored to affect only
those radios where the software can be modified by a party other than
the manufacturer because such radios pose a higher risk of interference
to authorized radio services."

"...only radios in
which the software is designed or expected to be modified by a party
other than the manufacturer and would affect the listed operating
parameters or circumstances under which the radio transmits must be
certified as software defined radios."

"manufacturers should not
intentionally make the distinctive elements that implement that
manufacturer's particular security measures in a software defined radio
public, if doing so would increase the risk that these security
measures could be defeated or otherwise circumvented to allow operation
of the radio in a manner that violates the Commission's rules."

This is a pretty narrow constraint just on the security/control  
aspects of running the radio component.

But it does not mean that open source will not be a powerful factor  
in the development or deployment of next generation mobile devices  
(Panasonic, NEC, and Motorola are already deploying smart-phones  
based on MontaVista's embedded Linux......).

John Shoch
Alloy Ventures

-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Monday, July 23, 2007 1:19 PM
To: ip () v2 listbox com
Subject: [IP] Feds snub open source for 'smart' radios


Begin forwarded message:

From: Kurt Albershardt <kurt () nv net>
Date: July 23, 2007 3:37:00 PM EDT
To: dave () farber net
Subject: Feds snub open source for 'smart' radios

By Anne Broache
<http://news.com.com/Feds+snub+open+source+for+smart+radios/ 
2100-1041_3-6195102.html>

Story last modified Fri Jul 06 08:10:42 PDT 2007

...a new federal rule set to take effect Friday could mean that
radios built on "open-source elements" may encounter a more sluggish
path to market--or, in the worst case scenario, be shut out
altogether. U.S. regulators, it seems, believe the inherently public
nature of open-source code makes it more vulnerable to hackers,
leaving "a high burden to demonstrate that it is sufficiently secure."

If the decision stands, it may take longer for consumers to get their
hands on these all-in-one devices. The nascent industry is reluctant
to rush to market with products whose security hasn't been thoroughly
vetted, and it fears the Federal Communications Commission's
preference for keeping code secret could allow flaws to go unexposed,
potentially killing confidence in their products.

By effectively siding with what is known in cryptography circles as
"security through obscurity," the controversial idea that keeping
security methods secret makes them more impenetrable, the FCC has
drawn an outcry from the software radio set and raised eyebrows among
some security experts.

"There is no reason why regulators should discourage open-source
approaches that may in the end be more secure, cheaper, more
interoperable, easier to standardize, and easier to certify," Bernard
Eydt, chairman of the security committee for a global industry
association called the SDR (software-defined radio) Forum, said in an
e-mail interview this week.

The Forum, which represents research institutions and companies such
as Motorola, AT&T Labs, Northrup Grumman and Virginia Tech, urged the
FCC to back away from that stance in a formal petition <http://
www.sdrforum.org/uploads/pub_439156SDRF-07-A-0012-
V0_0_0_Response_to_MOO.pdf> this week.

Those concerns were endorsed by the Software Freedom Law Center,
which provides legal services to the free and open-source software
community, staff attorney Matt Norwood said in an interview this week.

Still, in a white paper released Friday <http://
www.softwarefreedom.org/resources/2007/fcc-sdr-whitepaper.html>, the
group says there's also good news for its developers in the FCC's
rule: because it focuses narrowly on security-related software, it
appears that programmers would not be restricted from collaboration
with hardware makers on the many other kinds of open-source wireless
applications. (Many 802.11 wireless routers that are under the FCC's
control already rely on open-source systems for network management.)

...

"Obscurity works best when the hackers can't test their attacks,"
said Peter Swire, an Ohio State University law professor who has
written about the tensions between closed and open approaches to
computer security. "For software like this, used in distributed
devices, there should be no extra burden on open source."

There's also no clear evidence that the number of vulnerabilities in
open-source software differs dramatically from that of proprietary
software, said Alan Paller, director of research for the SANS
Institute, which provides computer security training. (Some earlier
studies have found that the generally more intensive scrutiny of open-
source code can help keep its quality higher and vulnerabilities lower.)

"They should be defining it as software with reliable maintenance or
software without reliable maintenance--that's the fundamental
security issue," Paller said in a telephone interview. "If I don't
have somebody I can call when I find out there's a vulnerability in
my software, I'm dead."

...







-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com