On March 5 the United States Federal Communications Commission (FCC) upheld (by posting what it calls a “Final rule” in the Federal Register confirming a January 2010 decision) a 3-year-old ruling that is apparently critical of open source software because of its alleged inherent security problems. The 2007 ruling recently upheld came in response to a request for clarification from Cisco (CSCO)
On one hand the ruling opens the door to renewed but undeserved fear, uncertainty and doubt when it comes to the security of open source. But it also illustrates why the U.S. government in all branches should restrain itself from getting involved with the terms "open" and "proprietary" at all.
Although the ruling and opinion about open source software security is only specific to software-defined radios (SDRs), on a wider scale, it increases the need from an IT investment point of view, to understand that open source in a software sense is primarily a term for 50-100 sets of software license terms and conditions. Secondarily, open source is a culture but that factoid is of little value to IT investing because all the leading enterprise software suppliers—including Cisco—have embraced the culture. In fact, within software development, the culture predates the founding of most of the leading publicly traded enterprise software suppliers. And, as an investor, understand that open source is not a business model or a market and you should not think in terms of investing in “open source companies” because there really are no such things.
Specifically the FCC ruling dismisses a petition for reconsideration filed by the SDR Forum requesting that the FCC modify statements it made on April 20, 2007. In 2007, the FCC stated that with regard to the use of open source software for implementing SDR security measures:
“… manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a SDR radio public, if doing so would increase the risk that these security measures could be defeated or otherwise circumvented to allow operation of the radio in a manner that violates the Commission's rules. A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a SDR.'' (underlining added by Byron)
The SDR Forum, now called the Wireless Innovation Forum, had asked among other things that the FCC drop the second sentence in the above. The SDR Forum, some of whose members appear to be Harris, L3 Communications and XILINX, said the FCC ”should remain neutral on the security of open source elements because open source approaches are no less secure than proprietary techniques.”
The FCC said it was retaining its earlier wording because the SDR Forum did not follow the proper procedure. But in the bowels of its final-rule filing the FCC says
“Manufacturers may select the methods used to meet (security) requirements and must describe them in their application for equipment authorization. When a party applies for certification of a SDR, the description of the security methods used in the radio is automatically held confidential… The Commission's concern is only with disclosure of those particular elements of a security scheme when such disclosure could facilitate defeating the security scheme…
“The Commission emphasizes that it does not prohibit the use of open source software in implementing SDR security features. The Commission's concern with open source software is that disclosure of certain elements of a security scheme could assist parties in defeating the scheme.”
Primarily the FCC uses the terms open and proprietary throughout the filing in their non-software-license sense. But in a key section it strays into the specific software sense writing that Cisco stated in its initial request for clarification that "open-source-based licensing agreements may require that open source software code be made publicly available," implying that this type of license term and condition could potentially lead to public disclosure of the security mechanisms themselves.
The confusing wording is why we need to keep the politicians out of the minutia of software licensing. Let them work on really important things like world peace.
(No position in companies mentioned above)
-- Dennis Byron
Comments
You can follow this conversation by subscribing to the comment feed for this post.