Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FCC Rules Open Source Code Is Less Secure

Zonk posted more than 7 years ago | from the tell-that-to-apache dept.

Software 365

An anonymous reader writes "A new federal rule set to take effect Friday could mean that software radios built on 'open-source elements' may have trouble getting to market. Some US regulators have apparently come to the conclusion that, by nature, open source software is less secure than closed source. 'By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.'"

Sorry! There are no comments related to the filter you selected.

Ain't the gov't great? (5, Insightful)

canUbeleiveIT (787307) | more than 7 years ago | (#19769517)

Just goes to show how much a bunch of gov't bureaucrats know. Or maybe there just being ass-kissy with business again.

its about time (1, Funny)

Anonymous Coward | more than 7 years ago | (#19769655)

we need to safeguard our infrastructure and start licensing the programming profession, too many kids in their moms basements can contribute buggy code to major open source projects, and given that linux is based on code by foreigners like "dvd jon," theres no telling what backdoors Al Qaada has running in our country's networks.

Re:its about time (3, Insightful)

wperry1 (982543) | more than 7 years ago | (#19770307)

"theres no telling what backdoors Al Qaada has running in our country's networks."

Sure there is... anyone can look at the source and see back doors, etc. It's more likely that there could be code in a MS project developed by foreigners in Canada http://slashdot.org/article.pl?sid=07/07/05/213424 9 [slashdot.org] because no one would have access to review the source code.

Re:Ain't the gov't great? (5, Insightful)

eln (21727) | more than 7 years ago | (#19769869)

They believe what the people who give them the most money want them to believe. Welcome to government.

Re:Ain't the gov't great? (1)

cayenne8 (626475) | more than 7 years ago | (#19770163)

"They believe what the people who give them the most money want them to believe. Welcome to government."

Yup, Money Talks.

Unfortunately, Open Source projects by nature just don't have that kind of legislative money to throw around.

Re:Ain't the gov't great? (5, Insightful)

Harmonious Botch (921977) | more than 7 years ago | (#19770177)

They are more familar with the idea of secrecy and control than ideas like cooperation and standards.

It's just another one of the Bush-buddy coat tails (4, Informative)

RingDev (879105) | more than 7 years ago | (#19770153)

Standard Neo-con practice, appoint like-minded, highly loyal individuals into key points of power to make decisions that benefit big companies and personal investments in ways that congress can not easily effect.

Kevin J. Martin is the current head of the FCC, appointed by Bush in 2005. Prior to that, he was general council for Bush's first election campaign, then he took over the 'technical transition' when Bush/Chenny were moving into the white house. After they got settled he picked up a nice position as a white house assistant. The guy is nothing more than yet another Neo-con chronie who shows his loyalty to big business and the party line over the interests of the people and gets promoted for it.

On the bright side though, he is at least somewhat qualified for the job. He has a real degree from a real school, he worked at the FCC prior to being appointed to Chairman, and has focused much of his career in the tech/telecomm industries.

-Rick

Amusing (5, Insightful)

ebbomega (410207) | more than 7 years ago | (#19769519)

Because Security Through Obscurity totally worked for:

MPAA (DeCSS)
Nazis (Enigma)
Xerox (Robin Hood & Friar Tuck)
Microsoft (just about any form of security they've ever had)

and about a billion other examples

Ugh (0)

Anonymous Coward | more than 7 years ago | (#19769695)

You mentioned Nazis! Godwin's wrath upon you!

Of course this is nothing new. Technical decisions are being made by non-technicians for non-technical reasons. Technology is complicated, so not everyone can be a technician, but it is important, so everyone will ultimately need to make technical decisions.

Technically meritless technical decisions, with potentially harmful consequences, and that are legally binding, will always have expression in the new world.

Re:Ugh (2)

Miseph (979059) | more than 7 years ago | (#19770275)

This doesn't quite meet the criteria for Godwin's law, as he was not calling anyone a Nazi (well, other than the actual Nazis, but that's just statement of fact), nor was he using them as an example because of their being Nazis, he was simply citing a well known instance where security through obscurity failed a group that believed their crypto to be perfect because nobody else knew how it worked.

Re:Amusing (1)

nurb432 (527695) | more than 7 years ago | (#19769725)

Yea, the MPAA and Microsoft are really hurting with their billions in the bank...

And you really cant compare enigma to current technology.

Re:Amusing (0)

Anonymous Coward | more than 7 years ago | (#19769919)

It doesn't matter how rich they are, all those things thought they were "secure" just because they obscured the inner workings. That is not security.

Re:Amusing (5, Interesting)

Penguinisto (415985) | more than 7 years ago | (#19769935)

Yea, the MPAA and Microsoft are really hurting with their billions in the bank...

...meanwhile, their products are well-known for being about as secure as a fresh pot roast tossed on the floor of a wolf pit.

Just because one can make a profit off of it doesn't make it any more secure.

And you really cant compare enigma to current technology.

I beg to differ - it was:

  1. a hardware-encoded algorithm set, eventually broken by other algorithms (courtesy of a few hardy Polish expatriate mathematicians), and
  2. actively decoded by one of the very first electronic computers in existence (see also "Colossus" and "Bletchley Park")

Cripes, man... if Enigma/Colossus wasn't relevant in concept, then what is!?

/P

Re:Amusing (3, Interesting)

AgentRavyn (142623) | more than 7 years ago | (#19769873)

To be fair, Enigma wasn't security through obscurity. It was a pretty strong mechanical encryption system that had serious user flaws. Every day, they had to brute force the day code using cribs that they had learned throughout the war.

The Allies were only able to figure it out after they got a hold of one of the devices, analyzed it, and then rigged up a whole bunch of primitive Turing machines (Alan Turing was pretty essential to this whole process, by the way). Then, as mentioned above, they brute forced the key.

The Naval Enigma machines were pretty much unbreakable in a reasonable time without cribs. They were the same as the standard Enigmas but had more rotors, thus a higher complexity.

Had the radio operators been a little more careful, it would've been a lot harder to break Enigma.

Re:Amusing (3, Informative)

Lockejaw (955650) | more than 7 years ago | (#19769961)

Had the radio operators been a little more careful, it would've been a lot harder to break Enigma.
Yes, a lot of their communications were so formulaic that you could start the day with a known-plaintext attack, recover the key, and then use it to decrypt the rest of the day's communication.

Re:Amusing (1)

GIL_Dude (850471) | more than 7 years ago | (#19770219)

From what I remember they were able to infer how to build the device based on extensive analysis of the encoded data that was captured. I don't believe they actually captured an Enigma device itself.

Re:Amusing (1)

plague3106 (71849) | more than 7 years ago | (#19769943)

Um, you know that encryption is not security through obscurity though?

You also know that, while it should never be used alone, security through obscurity is a valid practice to make hackers jobs more difficult?

Re:Amusing (5, Insightful)

Martin Blank (154261) | more than 7 years ago | (#19770155)

When the Germans kept Enigma a secret, they did nothing more or less common than anyone else was doing, or still does for the most part. National governments by and large do not leave their communications to AES, but instead use (what they at least perceive to be) more secure methods. NSA still keeps our codes secret, Russia's FSB keeps its codes secret, and the UK's GCHQ keeps its codes secret.

One of the advantages to this is that the limited distribution of a given code can (but does not always) limit the number of attacks against it. Whereas a commercial cipher may result in millions or even billions of ciphertexts to analyze, a government cipher may result in only thousands to work with, and it may be more difficult to determine plaintext aspects of a given document for comparative analysis. It's also generally difficult to get the actual cryptographic hardware without paying someone (either from inside or outside) to steal one.

This doesn't work well at all for the kinds of things that the FCC covers, however. I can generate billions of ciphertexts with known plaintexts for some new wireless system, and I can also do analysis against the electronics involved to look for side-channel attacks. Hiding things for commercial items intended for the general public is fairly pointless.

Side note: I'd not heard of the Robin Hood & Friar Tuck trick. That was some very fun reading. Thanks for brightening my morning a bit. :)

Godwin (0, Offtopic)

PetriBORG (518266) | more than 7 years ago | (#19770225)

Its only the second comment and this thread is already Godwin'd

Only on Slashdot!

Re:Amusing (1)

Space cowboy (13680) | more than 7 years ago | (#19770273)

Re "Robin Hood and Friar Tuck" - that was the first I'd heard of it, but I have a similar tale [gornall.net] , though in my case it could be more accurately described as "Robin Hood and the Sheriff of Nottingham" :-)

Simon

The FEDS (-1, Flamebait)

zoomshorts (137587) | more than 7 years ago | (#19769535)

ALL the Federally APPOINTED people , are BUSH supporters, and they fail to know the law!
We know who they are , and ignorance of the law is no excuse. BINGO !!!

Re:The FEDS (1, Funny)

Anonymous Coward | more than 7 years ago | (#19769563)

Wow, it sure didn't take long for someone to blame Bush for this.

Re:The FEDS (2, Informative)

HangingChad (677530) | more than 7 years ago | (#19770043)

I'm sure he appointed people to the FCC who are every bit as competent as:

Brown

Chertoff

Wolfowitz

Rumsfeld

Harriot Myers

Alberto Gonzales

Scotter Libby

...it's a very long list. Should I keep going or did I make my point?

Re:The FEDS (0)

Anonymous Coward | more than 7 years ago | (#19770205)

Both parties are corporate shills.

Re:The FEDS (1)

EveryNickIsTaken (1054794) | more than 7 years ago | (#19769999)

Joe Biden, is that you?

Re:The FEDS (2, Insightful)

wbren (682133) | more than 7 years ago | (#19770069)

ALL the Federally APPOINTED people , are BUSH supporters, and they fail to know the law!
We know who they are , and ignorance of the law is no excuse. BINGO !!!
Shockingly, there are also plenty of Democrats that are ignorant of computer security issues. Sorry, but that's the truth, and I'm no Republican or Bush supporter myself. Ignorance of how to make a point is no excuse...

Ripples (1)

Joebert (946227) | more than 7 years ago | (#19769547)

Around the world, people who were in the middle of saying "What the IRS doesn't know, can't hurt me !" suddenly stopped & asked, "Did you feel that, there's a disturbance in the force".

Re:Ripples (0)

Anonymous Coward | more than 7 years ago | (#19770313)

"Did you feel that, there's a disturbance in the force"
As if thousands of unemployed open source programmers suddenly realized that they don't matter anymore.

Secrets! (0)

Anonymous Coward | more than 7 years ago | (#19769551)

Shhh. It's a secret!

Re:Secrets! (0)

Anonymous Coward | more than 7 years ago | (#19769653)

I see you figured it out also.

Well, they're technically correct, of course... (5, Insightful)

Space cowboy (13680) | more than 7 years ago | (#19769553)


If I'm trying to break into some code, and I can read the source code to determine how the author protected it, I'll have an easier job (note: "easier", not "easy") because I can home in on the algorithm the author used. I know whether it's Blowfish, DES, AES, IDEA, or a simple XOR or substitution cipher. I know what pre-encrpytion steps were taken, and what post-encryption algorithms were used.

Let's say that in a moment of insanity, I decided to use a basic XOR encryption routine (create each byte in the encrypted stream by XOR-ing the corresponding source byte with every byte in the password save one, rotating that one as I iterate over the source). This is completely and utterly trivial to crack if you have the source code and *know* the routine I used. It's a repetitive cypher, so it's reasonably obvious unless the password is of significant (a sizeable fraction of the source's length) as well. Note the difference - it's easier with the source code.

Now that's a contrived example - no-one in their right minds would use an XOR cypher, but the same principle applies to harder encryption techniques. If you *know* what system was used to protect the source, you have an advantage over not knowing... Did they gzip the source before encrypting it ? Did they use ZIP, RAR, or 'compress' instead ? Did they XOR to hide the obvious compression header ? Is it inverted (last byte first) or was any other transformation done *before* the encryption stage to try and make it non-obvious that a successful crack had taken place ? These are all "knowns" if you have the source code...

So, yes, it is easier when you have the source code. Security through obscurity is rightly derided, but not because it has no value. It is derided because it leads to the use of insecure encryption methods (small keys, using XOR/whatever instead of proper hard encyption, etc) and the fact that once the obscurity is cleared up, there's no more security. The idea is that if you are sufficiently confident that your encryption is unbreakable, you *can* document how you did it in public. That doesn't mean you *should*.

The point though, and why I disagree with the regulators, is that if you're using hard encryption, it really doesn't matter whether it's *easier*, it's not *easy*. It is in fact still so damn hard, that we're talking "impossible in our lifetime(*)" - the relative comparison makes no sense. It's akin to measuring the height of Mount Everest at 6-month intervals - it's always pretty darn high, though you might find some variance due to snowfall.

So, yes, they're right. But by not considering the (tiny) impact of their conclusion, they have made the wrong ruling.

(*) Modulo the discovery of an easy way to crack the encryption technology, of course.

Simon.

Unless, of course, I'm an evil corporation (0)

Anonymous Coward | more than 7 years ago | (#19769709)

And sneak in a backdoor to the code I sell the government. Since it's "more secure" closed source which they can't see, they'll never know about it as I data mine their systems.

It's this same logic that limits us to 3oz liquids on a plane, because you know multiple terrorists would never get together to combine their 3ozs into 6ozs, 9ozs or even... 12ozs!

Re:Unless, of course, I'm an evil corporation (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#19769803)

At least, if they blow up the plane, they have to purchase a minimum of 4 tickets. That way, with the failure rate on attempted plane bombings, airlines are likely to break even.

Re:Unless, of course, I'm an evil corporation (5, Insightful)

Space cowboy (13680) | more than 7 years ago | (#19769849)

Oh for [insert deity]'s sake, please don't tell them that... If they actually start thinking through every possible way someone could do harm on a plane, they'll shut down the airlines "for your safety and convenience"...

At the end of the day, the most dangerous thing is an intelligent mind with the goal of doing harm. There is little-to-no way to protect against that, but it's not a politically acceptable truth, so they just make life difficult for everyone and hope for the best [sigh]. The *only* reason for all this is to protect *themselves* from a "you didn't do anything" accusation after the fact.

If people would just accept that life == risk, we'd be a lot better off.

Simon.

Re:Unless, of course, I'm an evil corporation (0)

Anonymous Coward | more than 7 years ago | (#19769979)

The security of our nation's great skies has been compromised by your abnormally twisted mind. That's it, I just tracked you and added you to our no-fly list! Who's Mr. Smarty Pants now, Ms. Nony Coward?

The million eyes looking has merit as well (1)

Luft08091950 (1101097) | more than 7 years ago | (#19769789)

"If I'm trying to break into some code, and I can read the source code to determine how the author protected it, I'll have an easier job (note: "easier", not "easy") because I can home in on the algorithm the author used." You fail to mention that you will have a harder time finding a bug because the code has been so well reviewed by an entire community. That fact should not be ignored.

Re:The million eyes looking has merit as well (1)

plague3106 (71849) | more than 7 years ago | (#19770015)

The problem is that there doesn't seem to be any hard proof that the code ever gets looked at... especially in older, stable portions of the program. Saying there "millions of eyes" is just bullshit.. nobody knows what code gets reviewed or by how many people. Also, how many of those millions are even qualified to review the code? Perhaps they are not as familar with how an over all algorthm fits into the rest of the system.

Re:The million eyes looking has merit as well (1)

everphilski (877346) | more than 7 years ago | (#19770175)

You fail to mention that you will have a harder time finding a bug because the code has been so well reviewed by an entire community.

Is it, though? I think there is a kind of 1%/99% rule going on, 1% of the code gets 99% of the eyes, and vice versa, 99% of the code gets 1% of the eyes in the open source community. There are a few really good, quality projects... and then there is a sh*theap of crap.

Re:Well, they're technically correct, of course... (5, Insightful)

kebes (861706) | more than 7 years ago | (#19769811)

You're quite right. Obscurity does provide some level of security, though relying on it alone is a surefire way to have your security cracked eventually. (Whereas things that are cryptographically secure will not be cracked in my lifetime.)

Another way to look at it (especially in the context of open source radio) is that whoever is implementing the security has finite resources (money, man-hours, whatever) at their disposal. For every hour they spend trying to obfuscate the inner workings, that is one less hour spent validating that it is *truly* secure (in the "cryptographically secure" sense). If you instead leverage open-source, then you have code that has been tested and vetted by experts the world over. Suddenly the hours spent on adding obfuscation would be a waste of resources: the code is already so secure that adding the slight additional security of obscurity is a waste of time.

So, while obscurity does provide some kind of security... it is actually the most resource-wasteful form of security (alot of effort for something that eventually gets cracked), whereas the more efficient security model is to focus on things that are fundamentally secure (in which case you may as well use open-source solutions, since you get to take advantage of work already done, and the marginal loss of obscurity doesn't end up mattering).

Re:Well, they're technically correct, of course... (3, Insightful)

morgan_greywolf (835522) | more than 7 years ago | (#19770259)

Exactly. Hey, FCC: Decrypt this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)

hQIOA3zQFkc0jOpLEAgAkeu9YYOYA2YLePtUm3tGthW7fBO1RN BM/EBDJ3FkQdfZ
avUq5gRrYhZ/vwo5MfMe950/SpZcgaUpN4pOoNQQFEyD8QYMjB mnvU0sH0iUAvza
oZvcvq7cxiswhUPwSFZPVz8vyGW0WqP6aTcRxF/EA71Jo2IbMs aoSMKv2T1Jkr04
OnGhFO5hEhNkAPEpoIucdkVKMn3U+Cmj846vj/I4CIaLu99mHw p150fuSgI1Jfua
8Ax9ztv9Krx74khTlOIwW/5nLKz6IXqDRn8YIehA3YmWuddFGg 7vcoMlMgmsficz /PJCe0acA5zvOuY1ISYnqB6aeAKe3caU+RY2MVDYxwgAv5+pdr Z1nyOaOzVFdVFD
+qRRoX3CPt5BsQxjgCYvwc3yqi9anUGbxglOMj3xPHJKSdjzgK OPsbDiA0EJxbLZ
YgFPU+rW6bk/HUnlu0vyavgp4f6fPCCHFYXKhFVbxU4i4uEx+t zZH3UB/qsFX+MA
YyqWWBvUfTsG+rqKTqgtlM9YAz9VoxwrY7mls7TOdcIigKdeCH sF8qOMsAwQFT9M
lcFBzpzDv2Bl6Puh8cN5cIPnJAI5W8M9792szOTxv2A+4wNQW0 6UipSCBYXuZ9/E
+b3EtraDOg6ZZB5W/BdiQDBWeJlO/Kedm4tAhCuUObYtvlylri c3S11Eii/bYdPd
kNLpAeyvgT/IjwxSabSmfCIrrQc0C1bk3z0BVoRdDYLmBbdddO b94OYMSBZUXG58
SRcjfHked62COU2PtpeuYn6qSwCB+NRdVv5OgM6w6HE+iCkQ5L Z2dCHBuFMWPctd
C7ykhLQWCja4a7EgJE99k48sSyWnvFwOKimINes8Mlfz8XuCST OGf+OOsfWjKzSv
dgSJ3eXZJ/q2T6cGISbyPSiqeiekRo8h8iWncdgzsLIF+wu+hX G7IxlC7anmrd8U
dG8LFVMnOIkp2BkJmQllbbpBBdu7x5govz0nCq+NFVUyZbnJKf JyLeGO3xe1j1mb
le+vkdWQNHqRovRWukMmQXNfFamqMLoWe+P0Z7Nlgkhin9JgLd 6r+/QPUWsMeHQ1
tBiI2RcHjXBcz/IvvohoUZf+HXcOye5Ly0dNnBJuXg/oswXBKZ zaVs173T3DK7ZT
L0Lq1UDTEFd0LI3PdQ+KqtB7Rt9Xn0igliqffXVZ0VmBoskTs5 oKmX2DrrbjPuoM
CPs5O9agZs3O8ULAQLz+rCZFOGtPqO3vhYxGmyBx9WxkekzpcA e1yeKMn4ZroYUW
F45+DnxKGigrwpnNM5Ew9EUnmYwhWab2kXePdiK767Hu27qHjS Omc7EGfkZ6yj4B
7ZlLkojiQKKlknQdn5nhfQpvNUBMDNcfIHCmkUoN+kKLJ3LAsD G/0gK5u+PRx8TV
OLmaBQCsLgRIHhC0m2KctuVYioDCTHprGXB8eRaTfo/+q1tKis B+F+G3M0WzOPuB
+H/rB1bvbRSjccGdDlu8DyfT9DnGHx5TZpj6DGhyfUMw20hY1h 9qpNgjHoo5531R
x4gKjozWFIoj/DqMPcI2BiYZ2kJHSDBQUal0CUobgl3AK7yjZP uuKUlXz3PjslA3
2icnOi1qP262vydWZaEPkBdSozFyatk1lzDwF/oXvkvyz3XVDI Om8nGg0JRhgPas
xyy7ptd4WV92FRR9hEQRhpfZqBAy90oLPudxUQ74sWCSjI6Kw1 vXm1/BiXjlj0tk
d77v/UGaFRc5/vDeKYS45b2NbOsVno4DjkLI9pWNTDNfOpgll0 /tfWpei9W8Ycyy
1gxpuRsv8DkuhJJn/HO9i7Aa6zYGPMhqo97eTsf+9JBKuu/fxO 9zq6iFkpnw+LAC
gaHfiyEP3sXGNUJbrrAceRsa7xM1
=eVzI
-----END PGP MESSAGE-----

Here's the public key it was encrypted with:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQGiBEaOfaYRBACmhQFOOvPFVMEPHFNGcETe2eh8iAsJOWgdux JXR1E4a2zB87tp
+vU20lEBqcd8o7Mfx1z3ZPZC8pZu2N9J4+zSNqRpD/bKQ6iZ2q YFk+IcP7Zx+Qrd
rGZKPKQByqvFG+nUWqDKw8vr5rASuG2/BxbjJHbayjpVX7J9CP q4VcR7xwCg38z0
7CS0W2SlEBhRu+pVBZX54f0D/AonvOSzZGPJEyD9sfU7aXNowt jku5V9ybIJtHVI
DCpsC1IhRfrmx2hHgxyx1egrKT0PlgjilUAcZN9ZhkJgKoZxpg BVH7LdxIN+/jUc
capxx7zoOmV0NTy26yc0y3UQb2m6lSejUPyj8mUvMUBouj2Btd xKQOXl+qPwmMyo
ncFIBACGt55hbuFHmf6/j0fCz/wjMWyHn0NebdvgC5HBVm9/a5 Lnr435OwpwJOID
Mavig01JSVYOZp/4nTOG9p7FFePt7rAbtljaaCNBRLyEY5I08U mhDLau1xPHFDXM
GLrR9rRehRyyeO6Dcj30KCKHlkDzIRWHYMbFiUEUMUq4xDofnr QfUm9iIFNoaW5u
IDxyb2Iuc2hpbm5AZ21haWwuY29tPohgBBMRAgAgBQJGjn2mAh sDBgsJCAcDAgQV
AggDBBYCAwECHgECF4AACgkQgoZHF4HZU+rTJgCeLwZd4bVTbh wIyUa7CnQpXSlj
rc4AnRhZTQezQnKHioFhxE+nx44H7jfPuQINBEaOfawQCAD5yk fs8bCeQVhkBhrT
4apDd6yHcKToUOFze4nFenAxzSphnvhOiZ31SJ6XkWmL37ITRV +7PdU+MNgpMSRA
juKy4le407ME1NxaAoeVXtmAcbtb8qwQFgS6r4wA9sF+bgbeJ7 HKYKPTeH8dXw8D
KjN+uB/HDpkJpCfMjgVVnJ7BhtrkX9/B8CuW2dqxp2QDkLskKl jPb72TW1KMBuZk
5Md9ZKJYT8znt5gTvgUfBtuqoHLg7ySBBowP+XW+QxQ1tNaF8M 6+eGWXtP86LlSu
1aA88wgkUvfqaF2L22ZBCMViE9H7OqeDLD4grvxLAQUomLIuUR NHztEcM5YRthfC
EQTXAAMHCACXRB/YnB56VU1dR+lKexeQjI9HLxXtZH3TKQMEAP miXhQ1Q2dcAH/G
zZjyRe6oKNmhDy45FIlEU+gtoms0XPeynI+6QYh+dPtsnhYk/T YXF3aLaUvM35Nu
uWmqCIJenCv8Fx7G88Ghrtkdq2nwVEI79jz7pjvrGW3ppI7b2p +4lOCC6d8+Cv6I
1R9WAF0IjNtwubOdPXlHc3o0/yyyaoIkjvC9UlRim0Qe2TDZ18 zoW2CY2g1u2Cvz
ctSchkCafwPjeLHErZHlGb57aDeCfKkIcI+6e2/K4SzqzRYLjr GqW5OdlMdIniRI
ebKJ+xOS2S68LydKrKqugsUw/AdQOMRjiEkEGBECAAkFAkaOfa wCGwwACgkQgoZH
F4HZU+quogCgzBcUuOvktjfZ/FFOZ/NQzcetZXUAn37avk50v4 ZGdXyTjgjsAZjv
Eq+y
=IVSy
-----END PGP PUBLIC KEY BLOCK-----

And, here's a link to the source code for the program that encrypted it [gnupg.org] .

Good luck, guys!

Re:Well, they're technically correct, of course... (5, Funny)

Trillan (597339) | more than 7 years ago | (#19769909)

no-one in their right minds would use an XOR cypher

/me shifts uncomfortably

C'mon, it was the early 90s, I was new at this programming thing, and my boss told me to do it...

At least I changed the constant away from 0x7F.

Re:Well, they're technically correct, of course... (1)

MobyDisk (75490) | more than 7 years ago | (#19769933)

Technically, you are right.

The problem is, if you don't have the source, you'll never know that the XOR encryption is in there. So it will never be fixed. Knowing the security level for certain is just as important as the actual security implementation.

The enemy knows the system (2, Informative)

vivaoporto (1064484) | more than 7 years ago | (#19769963)

Lookup Kerckhoffs' principle [wikipedia.org] . Security through obscurity is a widely debated subject going all back to the 19 century, when it concerns to cryptography, and sooner than that, in the locksmith circles, and it is more or less a consensus that it is not only ineffective but terribly dangerous, because "every secret create a potential failure point".

Read the wikipedia article, it is enlightening and very insightful.

Re:The enemy knows the system (1)

vivaoporto (1064484) | more than 7 years ago | (#19769993)

And by sooner I mean earlier. God damned foreign language and its traps!

Re:The enemy knows the system (2, Insightful)

Space cowboy (13680) | more than 7 years ago | (#19770169)

The thing about pretty much all the discussion over 'security through obscurity' is that it compares a 'secure-because-obscure' to a 'secure-without-being-obscure' mechanism. I'm not saying that the use of a secure-through-obscure mechanism is a good thing, and if you read my post, you'll see that.

My point was that if I'm using a hard-encryption mechanism, then I can additionally do things that would render a "cracked" result difficult to determine. If you know what you're looking for (ie: the algorithm is open source), I can't do that. I wasn't trying to say "just use secure-through-obscure' methods, I was saying that they can have some value when also combined with hard encryption.

I also disagreed with FCC (at the end of the post). It was sort of amusing to watch the moderations (up to 5, down to 2, up to 5, down to 3, up to 5). I'm left wondering whether those that moderated me down actually read what I wrote (and thought I was wrong), or just read the title of my post, and gave a knee-jerk response...

Simon

Ceteris paribus (5, Insightful)

hey! (33014) | more than 7 years ago | (#19770129)

"Ceteris paribus" -- assuming "allthings being equal", which they never are.

True, if you have two equally boneheaded pieces of software, then exploits in a the closed one are harder to divine -- not by much, but harder. On the other hand, if you have a piece of software that has survived years of public scrutiny by experts, that is presumptively harder to exploit than something some random engineer ginned up in secret.

Something cannot be widely reviewed (which is the gold standard in security) and secret at the same time. So generally, I think open source represents the best by far and the worst by a little of security possibilities.

The ultimate problem is that broad statements like X is more secure than Y are meaningless. You have to specify the context and threat you are concerned with. Is an open source interpreter burned into a ROM inside of microwave oven more vulnerable than a proprietary interpreter? Well, against what? Same goes for the software radio thing.

Wow... Governmental doublespeak (2, Insightful)

KiltedKnight (171132) | more than 7 years ago | (#19769581)

From TFA:

The SDR Forum has cited the Secure Socket Layer (SSL), a widely used technique for securing e-commerce transactions, and the National Institute of Standards and Technology (NIST)'s public hash algorithms as evidence that open processes often yield the most highly successful security techniques.
Very typical. First, they say that the stuff is not as secure as the "security by obscurity" method, then they go and say the most widely accepted and used method for secure web transactions is evidence that open source software yields the most highly successful security technique.

And we keep voting the same crew into office who keep appointing the same bozos to the FCC... shame on us.

Re:Wow... Governmental doublespeak (1)

houstonbofh (602064) | more than 7 years ago | (#19769883)

Why do people talk about "The Government" like it is a single person? It is many people who do not get allong and sometimes activly fight each other. Some of them are clueless, and some are mistaken by malice. No surprises here. Amusment, perhaps...

Re:Wow... Governmental doublespeak (2, Insightful)

BitchKapoor (732880) | more than 7 years ago | (#19769907)

From TFA: The SDR Forum has cited the Secure Socket Layer (SSL), a widely used technique for securing e-commerce transactions, and the National Institute of Standards and Technology (NIST)'s public hash algorithms as evidence that open processes often yield the most highly successful security techniques.

Very typical. First, they say that the stuff is not as secure as the "security by obscurity" method, then they go and say the most widely accepted and used method for secure web transactions is evidence that open source software yields the most highly successful security technique.

And we keep voting the same crew into office who keep appointing the same bozos to the FCC... shame on us.

These are two different groups. The FCC is advocating security through obscurity, while the the SDR Forum is advocating open source. Get it?

Re:Wow... Governmental doublespeak (3, Informative)

gEvil (beta) (945888) | more than 7 years ago | (#19769913)

It's not the same group making these statements. The FCC is the one who has said that "security through obscurity" works, while the SDR Forum (an industry group) cited SSL as a counterexample.

Re:Wow... Governmental doublespeak (0)

Anonymous Coward | more than 7 years ago | (#19769917)

And we keep voting the same crew into office who keep appointing the same bozos to the FCC... shame on us.
I don't know about you but I plan on re-electing Bush a few more times.

Oh, and I assume you mean "shame on everyone who voted differently than me".

Re:Wow... Governmental doublespeak (1)

KiltedKnight (171132) | more than 7 years ago | (#19770171)

Oh, and I assume you mean "shame on everyone who voted differently than me".
No, I mean shame on everyone for continually letting the media and special interests drive the elections and only selecting from the "ruling class" that has so conveniently been created from the continuous selection of only a Democrat or a Republican and the two parties banding together to secure their positions.

Many years ago (around 10-20), I remember a poll/survey stating that something like 75% of the people of the US blamed Congress for the conditions of the economy and other troubles we had at that time... yet 85% of them liked their Congressman. "Everyone else's Congressmen are the problem," is what that poll is stating. Nobody wanted to realize that their Congressman might be a part of the problem too.

Re:Wow... Governmental doublespeak (2, Informative)

eln (21727) | more than 7 years ago | (#19769921)

The SDR Forum is not affiliated with the FCC or the federal government, and in fact is opposed to this new FCC rule. The SDR Forum brought up those two methods as a counterpoint to the FCC's rationalization for this rule. I don't see any doublespeak there.

Re:Wow... Governmental doublespeak (1)

KiltedKnight (171132) | more than 7 years ago | (#19770059)

NIST is a government agency. And it wouldn't surprise me if the FCC uses SSL on some of their web servers, internally or externally. And how many government agencies use Kerberos?

Re:Wow... Governmental doublespeak (0)

Anonymous Coward | more than 7 years ago | (#19770149)

You'll need to spell out the point that you're trying to make, because clearly myself and others aren't seeing it. Yes, NIST created SSL and is a government agency. Again, the comment about them is coming from the SDR Forum, which is a trade association, not a government agency. If NIST were to come out and agree with the FCC's analysis, then you can talk about governmental doublespeak. But so far it is just one agency (the FCC) that is saying that open source doesn't work.

no reason why? (1)

nurb432 (527695) | more than 7 years ago | (#19769589)

Sure there is, and its called payoffs.

yeah right... (1)

mixenmaxen (857917) | more than 7 years ago | (#19769591)

By the "security through obscurity" definition tools like PGP would be insecure.

Yeah right....

Lobbying and ignorance are not news, really (1)

slashdotlurker (1113853) | more than 7 years ago | (#19769615)

So Microsoft http://publicintegrity.org/lobby/profile.aspx?act= clients&year=2003&cl=L002186 [publicintegrity.org] and Apple http://publicintegrity.org/lobby/profile.aspx?act= clients&year=2003&cl=L000538 [publicintegrity.org] have some of the bigger IT lobbying efforts around, and FCC bureaucrats don't know the difference between their ass and 2 holes in the ground.
What is the news ?

Never, ever forget that the FCC... (3, Interesting)

Anonymous Coward | more than 7 years ago | (#19769625)

... since its very inception back in 1934 (and its predecessor the "Federal Radio Commission from 1927 until 1934) has always been under the corrupted financial influence of the big broadcasters, despite the faux-adversarial image they try to paint on their relationships.

The government experts. (1)

SomeJoel (1061138) | more than 7 years ago | (#19769641)

I'm sure they were presented with Kerckhoff's Principle [wikipedia.org] , but since it didn't involve steroids, internet taxation, or huge tracts of land they skimmed right over it.

How can you vet ignorance? (5, Interesting)

gillbates (106458) | more than 7 years ago | (#19769657)

How can you prove something is secure if you can't see the source code?

You can't.

The FCC's position is that it is better to hide one's head in the sand and hope the vendor implemented a secure solution than to actually *prove* the solution is secure.

The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate.

The problem is that, as any ham operator knows, access to any part of the spectrum is as simple as building your own homebrew equipment. Hackers, by their very nature, already know how to access the radio spectrum; it is the weak, or non-existent encryption which represents the real threat. Keeping your code closed allows security vulnerabilities to exist for much longer than they would if they could be scrutinized by the public at large.

Furthermore, any software defined radio, open source or not, can be made "open source" by simply replacing the binary in flash. Which means that any software defined radio, open source or not, can be hacked. Which might be a bigger issue worth more discussion.

Re:How can you vet ignorance? (1)

BitchKapoor (732880) | more than 7 years ago | (#19769959)

How can you prove something is secure if you can't see the source code?

Actually, you can verify that a piece of compiled code is secure if the vendor provides type annotations with it in the style of proof-carrying code. This is similar to how the JVM can verify that Java bytecode won't do things it's not supposed to, except now we need a richer specification of what we consider to be secure.

Re:How can you vet ignorance? (1)

rstarg (1080657) | more than 7 years ago | (#19770131)

Furthermore, any software defined radio, open source or not, can be made "open source" by simply replacing the binary in flash. Which means that any software defined radio, open source or not, can be hacked. Which might be a bigger issue worth more discussion.

I don't see how re-flashing the memory makes the radio "open-source". I guess at that point it is "open-source" (since you know the source of the current program), but - I don't think the radio will have any predictable or desirable operation. A random binary flash will not be able to functionally replace an engineered program. It sounds like you are suggesting hacking the radio to figure out the program's function. This might be useful unless you destroy the device through the experiment.

don't want DRM circumvented (1, Insightful)

boguslinks (1117203) | more than 7 years ago | (#19769715)

from TFR:
A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.

By this they probably mean, if the radio is open source then any DRM is useless, and this is insufficiently respectful of the benighted Copyright Holders of whatever is being played, thus it is "less secure."

Re:don't want DRM circumvented (1)

Intron (870560) | more than 7 years ago | (#19770293)

No. They pretty much spell out two concerns:

1) Closed software can just block out restricted frequencies or power levels. If the software was open and changeable, it would be trivial to get around any software restrictions.

2) If you can adjust the workings in software, then there is a danger of operating in a way that causes harmful interference even when on lawful frequencies and power levels. Closed software doesn't provide the adjustments.

Why is the FCC regulating security? (5, Insightful)

pavon (30274) | more than 7 years ago | (#19769719)

I am somewhat perplexed as to why the FCC would need to be regulating the security of consumer devices. For organization that need secure communications, there are already many government and private certifications, that insure this. But why on earth would they restrict consumers from purchasing non-secure software radios if they don't need them?

Is this because they feel that software radios could be hacked to broadcast outside of their certified frequency and power limits? Or because they think they need to protect the public from buying 802.11 routers with crappy WAP implementations?

The same FCC that is promoting BPL (4, Interesting)

LM741N (258038) | more than 7 years ago | (#19769747)

These are the same FCC bozos who are promoting Broadband Over Power Line or BPL, despite all the independent technical experts who confirm that the systems are just giant antennas radiating hash, noise, etc and interfering with Public Service Radio. Along those lines, the American Radio Relay League (ARRL) is suing the FCC over its certification methods for such systems. see www.arrl.org for the details

Looks like GPL3 is a no no on SW Radios (1)

TimSSG (1068536) | more than 7 years ago | (#19769781)

After reading the article, it looks like the FCC is concerned that FLOSS software would enable the Software Radio to be changed in a way that violates FCC rules. Things that cause interference for example. I think the Makers will need to use something like TiVo does to prevent changes and this means GPL3 will not work well. Tim S

Re:Looks like GPL3 is a no no on SW Radios (3, Insightful)

Overzeetop (214511) | more than 7 years ago | (#19770147)

Whoa, there. There are lots of ways to violate FCC regulations with off the shelf hardware. Whether it happens in hardware or software, it's still illegal. There's no reason that OSS can't comply, they're simply arguing that somebody could re-code it to be non-compliant. Hardly a valid reason for disallowing it.

That's right, it's not about "Security"... (0)

Anonymous Coward | more than 7 years ago | (#19770227)

in the classic sense, it's about ensuring that some bozo can't rewrite the driver or firmware and cause the radio to violate the FCC rules the device has been registered for. Ie, overpowering the frequency, leaking into adjacent frequencies, causing undo interference, using bands it's not cleared for, not dealing with interference it may receive, etc.

Free open source adjective rating service (1)

xxxJonBoyxxx (565205) | more than 7 years ago | (#19769783)

...open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify...


In my experience these statements are true...
- secure: sometimes; more likely with more popular projects, less likely with smaller projects
- cheaper: sometimes; adding in cost of people to noodle with code or interfaces can raise costs quickly (however cost may be minimal if we're talking about cloning a few thousand embedded cuts, etc.)
- interoperable: definitely, because if the code doesn't work, you can change it
- easier to standardize: sometimes, tends to depend on the project leader's goals (although forks can solve this)
- easier to certify: definitely not, because the code frequently shifts (e.g., OpenSSL's experiences with FIPS validation)

Re:Free open source adjective rating service (1)

Lockejaw (955650) | more than 7 years ago | (#19770093)

- easier to certify: definitely not, because the code frequently shifts (e.g., OpenSSL's experiences with FIPS validation)
In comparison with what? Incremental releases happen in both open- and closed-source software. Sure, the open-source project has nightly builds which won't all get certified, but chances are the closed-source one does too. The difference is that only the open-source one lets people see its nightly build.

not about security (2, Insightful)

mevets (322601) | more than 7 years ago | (#19769785)

The security bit is just a cover story. This is about some perceived danger to the RIAA, MPIAA and similar cartels.

This is good news! (1)

Spy der Mann (805235) | more than 7 years ago | (#19769805)

... for black hats :(

LSPP/EAL4 (1)

omnirealm (244599) | more than 7 years ago | (#19769817)

Looks like someone needs to drop the FCC a note to inform them that an Open Source operating system has somehow managed to achieve LSPP/EAL4+ Common Criteria security certification [openpr.com] .

Wavelength restrictions (5, Informative)

romiz (757548) | more than 7 years ago | (#19769823)

The problem the FCC (and every other emission regulation body) has with open source and software radio is that it will be trivial to modify a device using these methods to emit at an arbitrarily high power level over a restricted wavelength, or using a band without using the proper medium access control. If this happened, the wavelength would be pretty much unusable for all other users until the FCC tracks down the emitter, and shuts him down.

That's why today, most radio-enabled devices, and especially mobile phones, have to pass type conformance to be commercialized in a geographic area. In the current state of things, if the radio software can be changed by the user, the type conformance cannot be awarded. Software radio makes things worse, because it is harder to justify that a component cannot emit at a given frequency, if changing the software in this component would allow switching emission frequencies at will.

Re:Wavelength restrictions (4, Insightful)

QuoteMstr (55051) | more than 7 years ago | (#19770061)

That's what code burned into ROM is for -- or hell, EPROM or even EEPROM would be fine, so long as it can't be erased through normal operation of the device.

If the FCC is that concerned about software radio operating out of spec (which I personally believe isn't really going to be a problem), then it should mandate hardware access controls on all radios.

Ultimately, ANY solution that relies on locking down client devices is doomed to failure. People can, and do, tinker with their own devices.

Re:Wavelength restrictions (0)

Anonymous Coward | more than 7 years ago | (#19770199)

Worse than that, don't people already build radio jammers and isn't it trivial to broadcast on whatever freaking frequency you want if you know how to build an appropriate antenna and solve a few math equations?

Re:Wavelength restrictions (2, Interesting)

everphilski (877346) | more than 7 years ago | (#19770235)

Most SDR's I've seen (all in amateur radio world ...) are run off of crystals or chips generating a waveform. The base frequency is NOT generated by software... so it is a hardware issue as to frequency, not software.

Where software comes into play is processing the incoming signal, and generating an outgoing signal. And the software is damn good at that :)

Re:Wavelength restrictions (1)

interiot (50685) | more than 7 years ago | (#19770287)

Exactly. The headline is misleading... the FCC isn't concerned about crackers being able to take control of other people's machines, they're concerned about normal people being able to fully modify their own equipment.

It's just a single issue with the frequency restrictions. If software could be open-source, and end users were able to configure everything but that one little thing, it wouldn't be as big of a problem. But it's an inherent part of open source that anything can be modified. OSS prevents the FCC from having any pre-emptive control, and that's what they see as the problem.

FCC overstepping their bounds yet again (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19769825)

The FCC has absolutely no power to regulate nor any say at all in how software radio or television are implemented.

The FCC commisioners are deluding themselves, again, if they think Congress gave them the power to appoint monopolies.

They have already been slapped down once with regards to the DTV Redistribution Control flag and they're about to be slapped down again.

What's next, washing machines and clock radios?

http://pacer.cadc.uscourts.gov/docs/common/opinion s/200505/04-1037b.pdf [uscourts.gov]

If the Foolish Child Commission can't remember the limits of their power, We the People will be more than happy to remind them, spank them and send them to their 'time-out' corner once again.

MoCSSRH (3, Insightful)

gr3kgr33n (824960) | more than 7 years ago | (#19769841)

Well, if they [FCC] are going to take this stance, it is our duty to enlighten them as to the consequences of their actions.

I would like to see a Month of Closed-Source Software Raido Hacks

Then they [FCC] will discover that since the closed source software radios are not examined by independent unbiased debuggers, the possibility of bugs, bad encryption schemes, et al is a very high possibility.
Maybe then the government bureaucrats will see the merits of Open Source.

This isn't about security.. (4, Interesting)

russotto (537200) | more than 7 years ago | (#19769857)

...at least not security as it's usually defined. It's about prevention of modification by the end user or a third party not authorized by the manufacturer.

While the rules require these "security" measures to prevent modification to software designed radios, as far as I can tell (based on several 802.11 devices I've messed with) the only actual "security" measures which have been taken have been to not publish the source. There's not really anything preventing modification of the firmware to operate outside the ISM band or at unpermitted power levels. So I'm not sure exactly what measures the FCC is really requiring, other than that manufacturers don't publish their datasheets.

FCC Sticks Head in Sand!!! (1)

deweycheetham (1124655) | more than 7 years ago | (#19769859)

FTA | ...the FCC decreed that open-source security software, too, cannot be made public if doing so would raise the risk that the FCC's rules could be sidestepped. ...| Well here your problem...

The 'why' is easy (1)

fredrated (639554) | more than 7 years ago | (#19769861)

Our government has become an extension of the profit motive. Everything for someone's profit. Period.

What they are REALLY worried about (4, Insightful)

newandyh-r (724533) | more than 7 years ago | (#19769905)

If the end-user can modify the source with reasonable ease:

They can easily bypass any "broadcast flag";
They can remove restrictions on which channels a scanner can scan;
They may be able to transmit on forbidden channels or at
power levels that are above those permitted for a channel.

That is the sort of hacking that frightens the FCC

Andy

Re:What they are REALLY worried about (1)

Drinking Bleach (975757) | more than 7 years ago | (#19770165)

People *already* do this without source code for devices. The only thing having the source code does, is make the job a whole lot easier and faster.

Re:What they are REALLY worried about (4, Insightful)

Dunbal (464142) | more than 7 years ago | (#19770191)

That is the sort of hacking that frightens the FCC

      And with their infallible logic they conclude that closed source means you cannot remove restrictions, transmit on forbidden channels/power levels and bypass broadcast flags. Because no closed source program ever has been bypassed, modified or otherwise hacked. Days and even hours after its release.

      When will these people learn that the PEOPLE have the power, not the government? We the masses obey ONLY when it suits us. If they have to go to such great lengths to try to limit us, perhaps what they are trying to do is not such a good idea after all? They just don't get it.

Bring 'Em On: +1, Hyperpatriotic (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19769927)


What do you expect from a branch of the Military-Industrial-CONGRESSIONAL Complex [whitehouse.org] ?

The U.S.A. has collapsed. The criminals (a.k.a your elected federal officials) just don't want to announce it to the brain-dead U.S. adult
population.

Have a Bush_Cheney_Rice_Rove-Free Weekend.

Cheers,
Kilgore Trout

I say. (1)

dj245 (732906) | more than 7 years ago | (#19769945)

Sir, you will no doubt be shocked to learn that this neither comes with a silver platter, or chilled champagne. I know when this realization dawned on me, my monocle popped out and rolled under my desk. My gentleman's gentleman, Wheatley, has noted his displeasure with your oversight while remedying the situation.

Peer review (1)

athloi (1075845) | more than 7 years ago | (#19769957)

I'd have to give them a big "Yes and No." The breakpoint is whether or not there's an active community of people looking over the source and testing it. If there is, they're more likely to find insecurities before hackers. If not, and the only people reading the source are hackers, there could be a problem. All of this to me suggests that the Open Source community should consolidate, have fewer projects, and we can all subject each other's projects to more rigorous review.

Nonsense (4, Insightful)

Anik315 (585913) | more than 7 years ago | (#19769973)

There's nothing inherently secure about closed source software or anything inherently secure about open source software. In fact, closed source software that is not secure when the source code is visible is not really secure at all.

Thanks (2, Funny)

Applekid (993327) | more than 7 years ago | (#19769987)

It's just that the boys at the FCC are go getters! Who cares if they aren't software security people, it's the FCC! They see a problem and are totally pro-active to take it on. Morality cops on TV and radio? That definitely falls within assigning and licensing portions of the EM spectrum for private industry. They're just going above and beyond.

All hail the FCC!

(can I puke now?)

hemos isn't that smart (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19769991)

I have a friend who goes by hemos and he loves this site, just like a huge dueshbag.

declare?! (1)

SolusSD (680489) | more than 7 years ago | (#19770031)

This sounds a lot like microsoft "declaring" they are not bound by the GPLv3. They can make whatever "declarations" they want-- it doesn't mean they are necessarily true. Sadly-- IT management and most software radio users will read that as a fact and not an opinion.

"security through obscurity" can be good ... (4, Insightful)

AHumbleOpinion (546848) | more than 7 years ago | (#19770229)

I am not agreeing with the FCC on this one, but I am going to defend "security through obscurity" a little due to expected /. audience oversimplification and knee jerking. At times "security through obscurity" is a perfectly valid and desirable approach when used *alongside* other good techniques. It is only bad when it is the foundation of your security. Note that I am only addressing the security angle and not addressing open source philosophy (or for some out there religion).

Re:"security through obscurity" can be good ... (1)

mark-t (151149) | more than 7 years ago | (#19770283)

[Security through obscurity] is only bad when it is the foundation of your security.
It invariably is though. That's the problem with it.

Go with the big guns... (5, Informative)

tom_evil (1121495) | more than 7 years ago | (#19770265)

...like Bruce Schneier:

"If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms. A variety of secret digital cellular telephone algorithms have been "outed" and promptly broken, illustrating the futility of that argument."

from Crypto-Gram: September 15, 1999 [schneier.com]

But what could we expect from an FCC headed by a lawyer, a businessman, a professional Senate staffer, a DRM-supporter who received coaching from Clear Channel to oppose a satellite radio merger, [wikipedia.org] and a professional telecom corporate lobbyist.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?