| |||||||||||||
28C3: New attacks on GSM mobiles and security measures shown (The H)28C3: New attacks on GSM mobiles and security measures shown (The H)Posted Jan 4, 2012 3:52 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)In reply to: 28C3: New attacks on GSM mobiles and security measures shown (The H) by lambda Parent article: 28C3: New attacks on GSM mobiles and security measures shown (The H)
You don't get it.
In a lot of countries it's ILLEGAL to use uncertified GSM stacks (hardware+software). As simple as that. You can certify OpenSource code, probably. But the moment you make a modification (even to close a security hole) you'll have to re-certify it again which kinda beats all the advantages of OpenSource.
>This argument, that we shouldn't make the code free because someone *could* break the law with it is poor reasoning. Should we ban knives, because someone could break the law with them?
The problem is, if you cut yourself with a knife - you only cut yourself. A bad firmware can affect a lot of people around you.
That's why we generally don't allow private persons to own nuclear arms.
(Log in to post comments)
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 4, 2012 6:22 UTC (Wed) by lambda (subscriber, #40735) [Link]
> In a lot of countries it's ILLEGAL to use uncertified GSM stacks (hardware+software). As simple as that. You can certify OpenSource code, probably. But the moment you make a modification (even to close a security hole) you'll have to re-certify it again which kinda beats all the advantages of OpenSource.
Do you have a citation for this claim? That seems farfetched to me. I can believe that it is illegal to *sell* uncertified stacks (hardware+software), and I can believe that it's illegal to *use* anything that uses the wrong frequencies, for whatever reason. But I would be hard pressed to imagine a law that forbid you, personally, from creating and using a stack (possibly by modifying the software) that was not certified, which still met all of the frequency and signal strength requirements. If that were the case, then it would be illegal to develop GSM stacks, as you would never be able to test and debug them before certifying them.
Furthermore, even if it is, technically, illegal, in certain jurisdictions, how would anyone know? If it meets all of the requirements and doesn't interfere with the network, who would ever notice?
> The problem is, if you cut yourself with a knife - you only cut yourself. A bad firmware can affect a lot of people around you.
And with a knife, you can also affect a lot of people around you, by stabbing them or mugging them. Knives are plenty dangerous; probably more dangerous than rogue GSM devices, which, if the networks are at all responsible, could at most create a temporary denial of service for a service that we've managed to live without up until a dozen or so years ago.
> That's why we generally don't allow private persons to own nuclear arms.
Are you seriously trying to compare a rogue GSM transmitter with a nuclear weapon?
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 4, 2012 11:12 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]
>Do you have a citation for this claim? That seems farfetched to me.
Yes. I'll use Russia as an example:
2) There's even a special provision which allows manufacturers to re-declare devices as compatible in case of software changes (by notifying the regulator and paying a fee for registration).
3) "Radioelectronic device" refers to a device _and_ its software as a whole.
>Furthermore, even if it is, technically, illegal, in certain jurisdictions, how would anyone know? If it meets all of the requirements and doesn't interfere with the network, who would ever notice?
Yes, there's that. It's a bit like crypto export laws in the US back in 90-s - there was no way to enforce them but they still made a lot of projects impossible.
>And with a knife, you can also affect a lot of people around you, by stabbing them or mugging them. Knives are plenty dangerous; probably more dangerous than rogue GSM devices, which, if the networks are at all responsible, could at most create a temporary denial of service for a service that we've managed to live without up until a dozen or so years ago.
That has been before people started to rely on mobile phones for 911 and other emergency services. I don't even _have_ a fixed-line phone anymore, for example.
So yes, I think that something that has a very real potential to disrupt an important service should be controlled somehow.
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 4, 2012 18:29 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
> So yes, I think that something that has a very real potential to disrupt an important service should be controlled somehow.
by this argument you end up controlling just about everything.
shovels have the ability to cause major disruption to major services (just dig in the wrong place and cut fiber, ever hear of a 'backhoe outage'?)
at some point you need to hold people responsible for doing the disruption (and account for true accidents) rather than trying to outlaw every possible means of disruption.
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 5, 2012 14:55 UTC (Thu) by yaap (subscriber, #71398) [Link]
With the knife example above, it's obvious when you create a problem.
With the shovel problem you mention, it may not be so obvious you create a big problem. A cable is a cable, it's not necessarily obvious what will be the consequence of a bad shovel move cutting a cable. But it's rare, and easy to detect and locate.
With telecommunications, it's hard to realize you're creating a problem in the first place. And it's very hard to pin-point and solve. Hence the strict laws to prevent the issue in the first place.
As an example of how easy it is to be a problem without realizing it. There was an article in LWN (too lazy to track the ref...) about guys doing a free software 2G stack. They were quoted saying that they just did tests with the transmit power stuck at the maximum because it was easier (yes, AGC is tricky). And they were doing the tests on a live network.
People expert in one field tend to consider themselves good in other fields, particularly if they're both technical. And when you're new to something, many times things seem simpler than they are just because you don't even realize the problems lurking behind the surface. One has to be very careful when dealing with telecommunications not to be bitten by this. It's a very complex domain, no person can cover it all actually.
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 5, 2012 16:50 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Well, shovels that can do real accidental damage (yes, they're called 'backhoes') are actually licensed. So your example is quite good, in fact.
You have to have a special license to operate a backhoe (at least in my country) and you also have to get a work permit to dig at a public territory.
Phones are like backhoes - they have real potential to cause disruptions in public networks and so they are regulated. It's just that regulation framework for mobile phones is quite well designed so it's essentially invisible for end-users.
>at some point you need to hold people responsible for doing the disruption (and account for true accidents) rather than trying to outlaw every possible means of disruption.
Let me quote the GPL for you:
>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Do you agree as a GSM stack developer to be liable for disruptions (up to and including loss of life) caused by the code you distribute? If the answer is 'yes' then how this liability is going to be enforced?
IMO, the answer to this problem should lie in well-defined interfaces (hardware and software) between radiomodems and the rest of the device.
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 5, 2012 17:37 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
In the US you do not need any license to use a backhoe
Sorry, but this just not true... Posted Jan 5, 2012 18:41 UTC (Thu) by khim (subscriber, #9252) [Link] Most (all?) states require at least heavy equipment operator license and Class A of CDL. Some have specialized license for backhoes. People like to pretend that all these licenses and permits are problems of the "Old World" and in a brave new "Free World" you can do whatever you want whenever you want, but it may surprise you if you'll actually try to dig deeper and see how many things require a license in US.
Sorry, but this just not true... Posted Jan 5, 2012 19:02 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
it depends on what you are doing. you can go down to the local rental yard and rent a small backhoe (plenty large enough to cut cables) with no special license needed.
If you are going to be employed running a backhoe, and especially if you are going to drive one on public streets, then the licensing that you are talking about will come into play.
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 4, 2012 18:26 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
I don't agree with the idea that it's illegal to modify a certified stack, but I will say that there are lots of different types of certification.
With some types of certification the manufacturer certifies that the device meets specific specs, and it's not legal to use any devices that don't have this certification. This doesn't mean that the device can't be modified, just that use outside the certified specs is not certified (and therefor may not be legal, depending on what licensing you have)
an example of this is 'type accepted' 2-way radios where the manufacturer certifies that on <this> range of frequencies the performance of the radio is <this>. If the radio gets modified to operate outside of that range of frequencies, the manufacturer makes no certification of the performance, and so it may not be legal to use it (even if you have a valid license to transmit on the new frequency)
However, the types of things that the FCC (in the US, similar organizations in other countries) are concerned about are things like power level, frequency stability, how clean the signal is, modulation type, etc. not how well it complies with encryption standards or if it waits it's 'turn' properly.
We have seen several examples of regulated 'transmissions' be able to be performed by certified open source code. I think the first example was the ISDN code in Linux and it's need to be certified for use in several countries, but there have been several others over the years. I really don't see GSM from being any different. The fact that Harold Weite has been able to get licenses to setup a cell tower for testing use running on completely opensource code is a good indicator that there is a path open here.
28C3: New attacks on GSM mobiles and security measures shown (The H) Posted Jan 5, 2012 15:13 UTC (Thu) by yaap (subscriber, #71398) [Link]
> The fact that Harold Weite has been able to get licenses to setup a cell tower for testing use running on completely opensource code is a good indicator that there is a path open here.
It's rather easy to get a license for testing purposes of network devices. But it usually come with string attached. Typically indoor use, with limited power. I have several such tests system in the building I'm in for example.
For devices, it's a different story. If it's on a dedicated test network it's fine, but such tests are usually driven by certification authorities and not widely open.
If it's with a test (or hacked) devices in an operational network, it's very hard and you can only get the authorization from the operator. Who will never give it without some pre-certification (to make sure the device is at least nor harmful). With the cost involved, it's only for business reasons.
Otherwise, in Europe for 3GPP standards and in most countries a device must at least be GCF certified to be legally used (http://www.globalcertificationforum.org).
|
|||||||||||||