- 10 open source companies to watch
- Mythbuster busts his own tale
- $208 million petascale computer gets green light
- Sony recalls 73,000 Vaio laptops
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
In 1883 French cryptographer Auguste Kerckhoffs published a set of six design principles for military encryption systems. The second of these principles is generally known today under the observation that security through obscurity is not security. The Federal Communications Commission (FCC) seems not to have read the history books or to be aware of how its sister federal agencies develop security standards.
In a common English translation, Kerckhoffs' second principle says that a secure crypto system "must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience."
There are many reasons for this. They range from the catastrophic results in the case of a breach that exposes a weakness to the reduced chance of a weakness if many eyes look at a system before it is deployed. The latter is the primary reason that the federal National Institute of Standards and Technology (NIST) conducts public contests for new encryption standards. Security expert Bruce Schneier published a very good essay on this topic a few years back.
The FCC has just decided that obscurity is better than security when it comes to software radios.
Specifically, it said "manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a software defined radio public" if that would help circumvent FCC rules.
Because no manufacturer will want to prove that public disclosure will not cause such a risk, they are being told to keep the code secret.
On one hand, this is like saying that manufacturers should keep circuit diagrams of old radios secret so that someone would not know where to solder in a resistor to change the output strength. And on the other, it's pretending that hidden code somehow will be hackproof.
In the same decision the FCC made it clear that open source software is in the FCC doghouse: "A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio." This is a message that I am sure was well received in Redmond, but a message that demonstrated bias rather than analysis on the part of the FCC.
The Software Defined Radio (SDR) Forum politely responded that the FCC did not know what it was doing and asked it to get a clue.
Rss FeedRss Feed
Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
The ROI and TCO Benefits of Data Deduplication for Data Protection in the EnterpriseThis paper examines and quantifies the costs and benefits of backup with deduplication storage as...
Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
We have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (1)
FCC and securityBy wizodd on August 12, 2008, 4:24 pmWhen did any FCC decision make sense? This permits the companies to spend as little as possible on security, and then prosecute anyone who breaks their insecure...
Reply | Read entire comment
View all comments