Via Dave Farber's IP list, I find that he, Dave Taht, Jim Gettys, the
bufferbloat team, and other
luminaries have submitted a
response to the FCC's proposed rule-making (PDF) that would have outlawed software defined radios and open source WiFi router software such as
OpenWrt. My
blogging about the Internet of Things started a year ago from a conversation with Jim when he explained the
Moon malware, which was scanning home routers. It subsequently turned out to be preparing to take out
Sony and Microsoft's gaming networks at Christmas. Its hard to think of a better demonstration of the need for reform of the rules for home router software, but the FCC's proposal to make the only reasonably secure software for them illegal is beyond ridiculous.
The recommendations they submitted are radical but sensible and well-justified by events:
- Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change-controlled source code repository on the Internet, available for review and improvement by all.
- The vendor must assure that secure update of firmware be working at time of shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.
- The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, or until five years after the last customer shipment, whichever is longer.
- Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.
- Additionally, we ask the FCC to review and rescind any rules for anything that conflicts with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only ship undocumented “binary blobs” of compiled code or use lockdown mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.
As the submission points out, experience to date shows that vendors of home router equipment are
not motivated to, do
not have the skills to, and
do not, maintain the security of their software. Locking down the vendor's insecure software so it can't be diagnosed or updated is a recipe for even more such disasters. The vendors don't care if their products are used in botnets or steal their customer's credentials. Forcing the vendors to use open source software and to respond in a timely fashion to vulnerability discoveries on pain of decertification is the only way to fix the problems.
I just finished reading John Tinnell's The Philosopher of Palo Alto. Based on Stanford Library's extensive archive of Mark Weiser's papers, and interviews with many participants, it is an impressively detailed and, as far as I can tell, accurate account of the "ubiquitous computing" work he drove at Xerox PARC. I strongly recommend reading it. Tinnell covers Weiser's life story to his death at age 46 in 1999, the contrast between his work and that at Nick Negroponte's MIT Media Lab, and the ultimate failure of his vision.