In 1883 French cryptographer Auguste Kerckhoffs published a set of six design principles for military encryption systems. The second of these principles is generally known today under the observation that security through obscurity is not security. The Federal Communications Commission (FCC) seems not to have read the history books or to be aware of how its sister federal agencies develop security standards.

In a common English translation, Kerckhoffs' second principle says that a secure crypto system "must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience."

There are many reasons for this. They range from the catastrophic results in the case of a breach that exposes a weakness to the reduced chance of a weakness if many eyes look at a system before it is deployed. The latter is the primary reason that the federal National Institute of Standards and Technology (NIST) conducts public contests for new encryption standards. Security expert Bruce Schneier published a very good essay on this topic a few years back.

The FCC has just decided that obscurity is better than security when it comes to software radios.

Specifically, it said "manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a software defined radio public" if that would help circumvent FCC rules.

Because no manufacturer will want to prove that public disclosure will not cause such a risk, they are being told to keep the code secret.

On one hand, this is like saying that manufacturers should keep circuit diagrams of old radios secret so that someone would not know where to solder in a resistor to change the output strength. And on the other, it's pretending that hidden code somehow will be hackproof.

In the same decision the FCC made it clear that open source software is in the FCC doghouse: "A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio." This is a message that I am sure was well received in Redmond, but a message that demonstrated bias rather than analysis on the part of the FCC.

The Software Defined Radio (SDR) Forum politely responded that the FCC did not know what it was doing and asked it to get a clue.