From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id BA73A21F989; Mon, 7 Sep 2015 16:13:02 -0700 (PDT) Received: by lbcao8 with SMTP id ao8so44478191lbc.3; Mon, 07 Sep 2015 16:12:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=+Eob9mqXXa5yoPhj/BXxSp0TSUPSU96LNgWKD8IOMt8=; b=QHDk99LuEF4dckJNGLdOh8rWKkNREUUG9KcA9rEklLTPwBQIcgnduGs9JWVc9wTLhq WQM8a6qYomYc1rrdlaYu2kNU/WJsyPLsye3OeJkwCe4n0LhKsxjAqSNx0cyYMd9zsBQL GEy6LYAoYM8BBICYyseuj9mtjzCKJxkwWVa1JSE7hPFl35X9Wu+LQYfdsaDIEAGra/Km UvzUl/NGpbMI73xbuqORmw2/OrXkBavNfTzYQufpvK4zbBgLPK7yPoCzVbcvjuOIJK4U Me01qod9iFQ4yDVho1+EiOUGKEopMAb6CibpwGcQ3HhWGOphRzuOjSrjlTEIiBhhovmw YwMw== X-Received: by 10.112.11.163 with SMTP id r3mr19286838lbb.45.1441667579427; Mon, 07 Sep 2015 16:12:59 -0700 (PDT) Received: from bass.home.chromatix.fi (188-67-48-170.bb.dnainternet.fi. [188.67.48.170]) by smtp.gmail.com with ESMTPSA id 10sm391461lar.32.2015.09.07.16.12.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 07 Sep 2015 16:12:58 -0700 (PDT) Content-Type: multipart/mixed; boundary="Apple-Mail=_F60C794A-1063-42CF-AD55-8308BA95A6B4" Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: Jonathan Morton In-Reply-To: Date: Tue, 8 Sep 2015 02:12:48 +0300 Message-Id: <53DACA59-CADA-46E1-985D-8148B47BE705@gmail.com> References: To: Rich Brown X-Mailer: Apple Mail (2.2104) Cc: make-wifi-fast@lists.bufferbloat.net, cerowrt-devel , bloat Subject: Re: [Make-wifi-fast] [Cerowrt-devel] Save WiFi from the FCC - DEADLINE is in 3 days *September* 8 X-BeenThere: make-wifi-fast@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 23:13:25 -0000 --Apple-Mail=_F60C794A-1063-42CF-AD55-8308BA95A6B4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 5 Sep, 2015, at 17:12, Rich Brown wrote: >=20 > Please post a link to your comments when you're done. I couldn=E2=80=99t figure out a way to link to my comment as submitted, = so I=E2=80=99ve attached it to this e-mail instead. - Jonathan Morton --Apple-Mail=_F60C794A-1063-42CF-AD55-8308BA95A6B4 Content-Disposition: attachment; filename=fcc-comment-sdr.txt Content-Type: text/plain; name="fcc-comment-sdr.txt" Content-Transfer-Encoding: quoted-printable Comment re: Proposed Rulemaking on Software Defined Radios =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D I am an EU resident and citizen, and a software engineer involved in = cutting-edge networking research. I wish to make certain that the FCC = is aware that their regulations have global effects, not merely local to = the United States. I and others firmly believe that these newly proposed certification = rules: - will likely have deeply harmful effects, - address a theoretical harm which has not been clearly = demonstrated to exist in practice, - will also be ineffective at achieving their stated goal. I would like to take this opportunity to briefly outline alternative = rules which would more carefully address the problem, avoiding the = disadvantages listed above. Global Reach =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D It is a sad fact that most electronic device manufacture no longer takes = place in the Western Hemisphere. Reduced labour costs and less = restrictive regulations in the Far East mean that most consumer devices = are designed and made there, and only reach America and Europe by = export. If faced with tight regulations for imported devices, these = manufacturers have few choices: - Abandon the restrictive market entirely. North America is a = large market, so this would be considered undesirable for the = manufacturer, not just due to reduced choice for the consumer. - Produce a separate, specially adapted product for the = restrictive market. For large, durable goods such as road vehicles, it = is possible to make such adaptations without much impact on final = prices. However, this would unacceptably increase design and = manufacturing costs for small, relatively cheap consumer electronics = devices, due to disruption of the economies of scale that these = manufacturers rely on. - Produce a single product adapted for the most restrictive = market the device is sold to. This effectively imposes these = restrictive regulations globally. It seems clear that most consumer device manufacturers will choose the = latter option. That is why I am writing this comment. Unintended Harms =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The proposed regulations do not clearly define the limits of what must = be protected, especially considering the inevitable fact that the = relevant reader - based in the Far East - speaks English only as a = second language. This will lead to a misunderstanding of the true = requirements, and the following likely consequences: - Firmware modification will be prevented on the entire device, = not just the parts which intentionally radiate RF energy. - Software updates will be disallowed as well, even when they = are clearly necessary to fix bugs and security holes in the original, = certified firmware. - Malicious actors (including such state-level actors as the = NSA, GCHQ, Russia and China) will find and exploit holes unknown at the = time of certification. This already occurs, due to the minimal effort = manufacturers currently put into producing secure, high-quality = firmware, but it will become difficult or impossible to close these = holes subsequently, as is presently possible by installing third-party, = actively-maintained firmware such as OpenWRT. - Legitimate end-user modifications, including those performed = by licenced amateur-radio operators (whose permitted frequencies overlap = with the capabilities of many SDR devices), will be actively = discouraged. Amateur radio has often proved invaluable during crises, = including natural disasters and terrorist attacks; hampering its = capabilities in this way could conceivably have fatal consequences. - Research which requires firmware modifications will be = severely hampered. One current focus of this research is improving the = robustness and latency of wired and wireless networks through advanced = queuing disciplines; this requires close integration with the relevant = network hardware. For example: = http://www.bufferbloat.net/projects/codel/wiki/CakeTechnical - FCC-compliant devices will be unable to use the wider = frequency ranges and higher powers that may be available in other = jurisdictions. - Devices sold abroad, but brought to the US by visitors, will = radiate beyond the regulated limits (eg. on channels 12-14 in the 2.4GHz = band), with no way for the user to prevent it, unless those capabilities = are denied even in jurisdictions in which they are permitted. - An entire class of innovative products may be stifled due to = the increased regulatory burden. It is worth emphasising that most recent Wi-Fi devices use SDR = techniques, and thus fall under these proposed rules. One reasonable = interpretation of the rules as presently proposed would encompass an = entire laptop, including its operating system and applications, as the = device for which software modifications are to be prevented. If this = seems absurd - as it should - then there is clearly scope to define the = rules more narrowly. Ineffectiveness =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D As noted above, Far East manufacturers do not have an intrinsic = incentive to adopt genuine best practices with respect to software = quality and security. While regulations can impose extrinsic = incentives, these serve only to enforce the appearance of security, not = its effect in practice. This inevitably leads to measures which impose = at least as much inconvenience and frustration on end-users as a = genuinely secure system would, but without noticeably impeding the = efforts of experienced, motivated attackers. Previous experience in this area can be seen in the Digital Rights = Management sphere, where technologies such as corrupted floppy-disk = sectors, DVD=E2=80=99s CSS encryption, SecuROM, HDMI=E2=80=99s HDCP et = al have all been bypassed, some with greater ease than others. Of those = mentioned, HDCP is both the least intrusive - most consumers are = completely unaware of its operation - and stood the test of time best, = but it too was eventually cracked. Some DRM technologies actively = harmed the equipment of legitimate users, in pursuit of the extrinsic = goal of copy-protection imposed by the entertainment industry, but were = immediately bypassed by experienced =E2=80=9Csoftware pirates=E2=80=9D - = the supposed targets of the technology - who already routinely removed = copy-protection software before repackaging the product for = distribution. The response of corporations to security breaches is also instructive, = with regulations being necessary even to make them admit that a major = consumer-privacy breach has occurred, and even then cover-ups = undoubtedly still occur. This type of regulation is more difficult to = extend to the Far East, where it would be required. Typically, consumer devices of this type are based on a standard piece = of hardware which, to simplify software development, has a variety of = debugging interfaces included - generally including a serial console and = a JTAG debugger interface. While the connection headers are generally = omitted from the final product for cost reasons, it is easy for an = engineer or hacker to fit them manually, using a soldering iron. = Instructions for doing so are widely circulated for legitimate purposes, = such as porting OpenWRT to the wide range of new devices which regularly = appear on the market. It seems highly unlikely that these interfaces = can be modified or disabled in a way that would not also inhibit the = manufacturer=E2=80=99s own development practices. Hence, even if these = debug interfaces become the only reliable way to modify firmware (thus = removing this option from the general consumer), they will remain = available to sufficiently motivated individuals and organisations. Absence of Harm =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D In proposing these rules, the FCC has not clearly articulated a specific = harm that they could reasonably address. Only the =E2=80=9Cpotential=E2=80= =9D for the originally licenced and certified emissions limits to be = bypassed, with no evidence that this is already occurring or likely to = occur in practice, and some images of interference caused to a handful = of obsolete radar installations (which are already due for replacement) = by devices already in the field - devices which can reasonably be = assumed to be certified and compliant in any case, but whose emissions = can in aggregate be detected by sensitive equipment. Meanwhile, it is straightforward and inexpensive to construct devices = which do emit harmful interference in the relevant bands, whether using = SDR techniques or not. It is arguably easier to do so than to modify an = existing device=E2=80=99s firmware to do so, even without any = technological restrictions on the latter. There has also, surprisingly, been little or no mention of any harm = caused by certified and compliant devices which have been configured for = a foreign jurisdiction with more permissive regulations. For example, = 2.4GHz channels 12 and 13 are available in the EU but not in the US; = channel 14 is available only in Japan. Power limits also vary between = regulatory domains. The volume of visitors to the US from these = regions, and the general ignorance among consumers of these differences, = implies that a significant amount of misconfigured radio equipment = already exists in the US at any given time. Alternatives =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I make the charitable assumption, here, that reducing the potential for = accidental emissions beyond the regulated limits is a desirable goal. = Here are some rules which address this goal while also retaining the = ability to modify device firmware. This should reduce harms on both = sides of the equation, as well as being more realistically practical to = implement. - Isolate the components of the radio responsible for the = frequency and intensity of emissions from the rest of the system, and = provide a narrow, clearly defined interface between the two. This = reduces the attack surface, making these isolated components easier to = secure. This isolation boundary may include, at maximum, the components = of a distinct module such as a PCI Express card (which is currently the = industry-standard method of attaching Wi-Fi radios to a device); = preferably it would encompass only a minimal portion of that hardware. - Store the firmware of the isolated components securely within = those components, eliminating the dependence on the integrity of the = larger device=E2=80=99s software or firmware for compliance. The = isolated components can then be certified separately from any device = they may be attached to. It should, in this case, be possible to adjust = certain parameters of the emission spectrum to cater for different = regulatory domains; this could be done via a regulatory-domain = configuration file uploaded through the defined interface, or via a = simple numerical selector between such files stored within the firmware. - Alternatively, integrate a cryptographic verification system = within the isolated components, which ensures firmware loaded into the = components is verified as authentic before use. This would allow = updates to the firmware to be distributed after sale of the device, or = different firmware to be loaded for different regulatory domains, while = still ensuring that only certified firmware is loaded. - Alternatively, publish the firmware for the isolated = components in a human-readable format, so that it can be audited for = compliance and modified if necessary. It must then be straightforward = to verify (through conversion of the human-readable version into device = format) that the published firmware corresponds to that actually loaded = into devices on sale. This option is the most beneficial for = amateur-radio operators and researchers, since they would then be able = to modify the firmware to meet their needs; they would of course assume = liability for any regulatory compliance problems their modifications = introduce. The above rules specifically address the problem of potential harmful = emissions at the RF level. But I would go further to reduce other = harms, though these aspirations may require a separate round of = rulemaking: - Require device firmware to be demonstrably free of known = security vulnerabilities at time of sale. This should include reference = to design best-practices (such as verification of digital certificates = used for secure communication, absence of fixed default passwords) in = consultation with acknowledged software security experts, and reference = to a database of known software vulnerabilities, such as the CVE series. = There are well-established vulnerability scanners on the market which = can be used to assist this process. - Require device firmware to be updated, automatically and = without the need for end-user attention, to fix defects (in the above = category or otherwise) discovered after time of sale, for the expected = lifetime of the device. This should, at minimum, extend to the ordinary = manufacturer=E2=80=99s warranty period of the last device of the type = sold at retail, and preferably to the period of an extended warranty = which might be sold for that device. This update process must also be = demonstrably designed to be secure against man-in-the-middle hijack = attempts. - Require claims of functionality made in marketing material for = the device (including but not limited to the packaging and manual) to = have a verifiable basis in fact. In particular, it must be = straightforward to quantifiably demonstrate the feature=E2=80=99s = functionality and benefits in a typical installation configuration in = the laboratory, using only configuration options available to the user = and (if relevant) described in the user manual. - Require the ability to replace the manufacturer=E2=80=99s = software or firmware with any alternative from a third-party, given = explicit and verified consent from the end-user (such as holding down a = button during power-on to initiate the firmware reload). This would not = necessarily include replacing the firmware of isolated radio components = as described above. Exercising this ability would necessarily relieve = the manufacturer of any liability related to problems with the firmware, = unless the process is repeated to replace the third-party firmware with = the original. This would enhance the ability of third-party firmware = projects (such as DD-WRT and OpenWRT for consumer devices, or Linux on = laptops) to take advantage of hardware advances. The above requirements, if enforced, would go a long way to address the = worrying state of consumer device security, especially with respect to = the so-called =E2=80=9CInternet of Things=E2=80=9D. In any case, = without them any attempt to implement the rules on SDR as presently = proposed are doomed to failure. Thank you for your attention. - Jonathan Morton --Apple-Mail=_F60C794A-1063-42CF-AD55-8308BA95A6B4--