28 comments

[ 3.3 ms ] story [ 37.9 ms ] thread
No mention of Dave Taht and Vint Cerf's open letter to the FCC then? Sad.

http://fqcodel.bufferbloat.net/~d/fcc_saner_software_practic...

DD-WRT has a lot of mindshare, probably due to the fairly successful commercial partnerships with router vendors, over OpenWRT and derivatives like CeroWRT from the bufferbloat projct.

See also how Plex and Boxee attained more fame and name recognition even though they started as forks of the XBMC (now Kodi) project.

That letter really didn't get passed around enough - it's a true smackdown of the problems with proprietary, unfixable software in critical infrastructure positions.

This letter calls for quite radical and, dare I say, controversial changes. Did you really expect to see this changes adopted overnight?

Or are you complaining that Arstechnica didn't mention it?

How are those changes radical or controversial?
Giving users full control over the hardware and expecting that they will follow regulations is exactly the opposite of what RF regulatory looked like throughout the last century.

And if you want to understand the "controversial" part, just go to any company and ask what they think about being required to open source their precious firmwares and fix bugs in timely manner under the threat of getting banned from the market.

TL;DR:

Describe, if the device permits third-party software or firmware installation, what mechanisms are provided by the manufacturer to permit integration of such functions while ensuring that the RF parameters of the device cannot be operated outside its authorization for operation in the US. In the description include what controls and/or agreements are in place with providers of third-party functionality to ensure the devices’ underlying RF parameters are unchanged and how the manufacturer verifies the functionality.

This sounds like it permits open source drivers and OSs, as long as the hardware enforces FCC compliance.

However, I see a problem with the "FCC" in "FCC compliance". This rule doesn't sound good for world-roaming WiFi adapters, i.e. ones which are validated to physically work in multiple regulatory regimens and try to comply with current local regulations simply by not transmitting on frequencies not allowed everywhere in the world until they connect to some AP working on this frequency. Obviously, the assumption is that APs are compliant.

AFAIK at least Atheros makes such adapters (for laptops, phones, etc) and the channel limiting logic is implemented in drivers, which are open source for some platforms. I wonder how are they going to deal with such regulations.

Not that this would be the first time radio regulations screw mobile users, btw. You may think that even if your laptop's WiFi card is locked to channels allowed in one country, you can get a USB dongle from another country and use it there. Not that easily. Some cards made by Atheros (dunno about other vendors) are validated only for operation in certain regulatory domains and this information is stored in EEPROM on the card. Their Linux driver reads the country code from the card and passes it to the wireless stack, which in turn immediately locks out all frequencies and power levels disallowed in this country.

When I asked about this behavior, the WiFi stack maintainer's response was that they treat each region-locked card in the system as a "hint" that the system may be operating in this region and try to comply with this region's regulations just to be safe. Madness and paranoia. This maintainer was an employee of one WiFi hardware vendor.

I ended up replacing my laptop's WiFi card with one whose drivers are based on independent reverse-engineering effort, simply because they didn't bother passing regulatory codes to the WiFi stack and messing up USB dongles.

You can quite easily change your regulatory domain on Linux, as well as change stored settings (through wireless-regdb) in it. CRDA is run in user-space.

For example, `iw reg set` to BO ro JP will remove many power and channel limitations.

Yes, it's possible to have these settings stored in a tertiary firmware, but it's not common anymore. The hardware is the same, the driver and stack simply limit it based on what the OS requests.

1. `iw reg set JP` is exactly what this regulation seeks to prohibit, i.e. if you are selling WiFi hardware in the US, you have to be damn sure that no one will be able to switch it to channel 14.

2. Even with `iw reg set JP` you won't be able to go above channel 11 if your system contains an Atheros adapter certified for US market only. Even using other hardware, suitable for the job and certified by whatever agency Japan has.

The only solution is `rmmod ath` or patching the mac80211 stack. Or avoiding Atheros hardware, as I do. Not that I have anything against Atheros, I'm sure they wouldn't bother implementing this bullshit logic if they didn't have to, but their hardware is simply a PITA to use because of this.

It's interesting (depressing) to me, that the FCC thinks that hardware vendors should be responsible for what their hardware does once it leaves their hands. If we applied the same logic to other industries, there wouldn't be a firearm manufacturer left in the USA.

Is this an actual problem? Are there people running DD-WRT in a way that is wreaking havoc on other communications? I can count on one hand the number of people I know who have played with DD-WRT, and I've worked with hundreds of geeks in my career. It feels like the FCC is trying to regulate a problem that doesn't exist yet, and it makes me wonder what the motivation behind it is.

Maybe radio regulatory agencies should be given some run for their money and forced to always provide solid rationale for their rules. How serious is the problem currently? Why locating and fining offenders isn't enough?

Unfortunately, it's easier to order manufacturers to force users to jump hops instead of getting one's hands dirty.

there wouldn't be a firearm manufacturer left in the USA.

Attempts have been made on this but have not been successful. Perhaps a better comparison would be cars, which are also deadly but the liability nearly always falls on the drivers so long as the manufacturers stay within the rules.

There's probably quite a lot of weapons manufactured in the USA.

However, good luck trying to purchase this anti-aircraft battery to deter idiots who would want to crash stolen jets on your property.

---

I find it somewhat interesting that the right to own firearms referred to state of the art weaponry when it was codified.

There's no defined right of the people to keep and bear WiFi routers in the Constitution.
To go down the rabbit hole, the Second Amendment specifies "Arms" (sadly, not Mips -- sorry, couldn't resist), not firearms.

"A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed."

http://brainshavings.com/the-right-to-keep-and-bear-what/

A firearm manufacturer can be liable if the FIREARM violates the law after it left the manufacturer.
Actually it seems very similar to the example you provided.

A similar scenario would be if a firearms manufacturer designed a semi-automatic rifle (one trigger pull = 1 shot fired) that easily could be modified to be an automatic rifle (one trigger pull = multiple shots fired). Former is legal, the latter is not. If such a firearm starting becoming a favorite of criminals because of this feature, a vast majority of gun enthusiasts would have no problem with BATF requiring the manufacturer to put safeguards in place (there are perhaps a small sliver of extremists that might object, but nowhere near the degree to which an equal-but-oppositely extreme sliver of gun control advocates would have you believe).

The FCC is really just saying that if you make a device that you want to get certified, and it is physically capable of transmitting outside of the parameters for which it is being certified, it wants to know what steps you are putting in place to ensure that the it can't easily be modified to do that.

And to answer your question - yes, people are already modifying consumer routers to use outside of Part 15... for example http://www.broadband-hamnet.org/ ... those are licensed operators of course but anyone could do this, licensed or not.

Honestly, as someone who associates with a lot of gun enthusiasts, I think that the AR platform is quite easily modified into fully automatic -- just replace the sear from a semi-automatic sear to a full auto sear.

You have to have a BATFE approval and pay a tax stamp to possess a full auto sear, but the work in switching from semi to full auto is pretty minimal.

A more apt scenario that people would clamor behind is a semi-automatic firearm that had a fully automatic failure state. That would be terribly unsafe, and everyone on both sides of the gun debate would be demanding it got fixed, just as they would if a firearm were on the market that could accidentally fire when dropped.

Both of those used to be fairly common scenarios, but are now both exceedingly rare thanks to advancements in gun safety.

I'm not familiar with guns - what's a sear?

Without knowing that, I'm gonna go ahead and make a comment that may not make sense: I think the idea is that it shouldn't be trivially simple to convert a semi-automatic rifle into an automatic rifle. E.g., it can't be done by putting a paperclip into some part of the mechanism, or slightly filing down a metal part.

If getting a full auto sear is a non-trivial process (which it seems to be) and making one from scratch isn't trivial either, then gun manufacturers seem to have gone to reasonable lengths to prevent their guns from being converted to full auto.

A sear is, basically, a piece of metal. It's part of the trigger assembly. Speaking simplistically, it is the thing that gives the trigger pressure -- it holds back the striking mechanism until your trigger pull releases it.

https://en.wikipedia.org/wiki/Sear_(firearm)

This is an animation of a semi-automatic sear (in which the sear is the green part): http://mcb-homis.com/blog/trigger-animation.gif

This is an animation of a fully automatic sear (in which the sear is blue): http://mcb-homis.com/blog/m16animation1ww1.gif

Taking out a semi-automatic sear and replacing it with a fully automatic sear is trivial. Converting a semi-automatic sear is slightly more difficult, as it requires precision, and a supplementary catch (to keep the firearm from always firing always).

If people aren't committing crimes with fully automatic firearms, it isn't because the process of obtaining fully automatic firearms is difficult, because it isn't. You can get butt stocks that replicate fully automatic fire for less than $50. Fully automatic fire is just silly to use. If you miss with the first shot, you're almost certainly going to miss with subsequent shots, so for anything requiring accuracy (which is almost everything you would do with a firearm short of perhaps intimidation), converting to full auto makes it less effective.

This is true, and a good comment. It sort of supports what I am saying though; there actually aren't a lot of gun owners who think it is tyrannical to have regulation around this. And besides, the percentage of crimes committed in the US with an AR-15 (let alone an AR-15 modified in that way) is so low that the actual problem could almost be classified as non-existent, so it is not a surprise that there is not an uproar about it. Your point is taken however, thank you for the info.
What on earth are you talking about?

There is an entire, rich, enormous field of law called products liability that is precisely about holding manufacturers accountable for the performance of their products post sale. Everything from toaster ovens to home furnaces to nuclear reactors.

> If we applied the same logic to other industries, there wouldn't be a firearm manufacturer left in the USA.

We do. I'm going to ignore the statement about gun manufacturers - because lets be serious, that is hugely politically loaded, and the only reason this already isn't a thing is due to a recent act of congress making it illegal to sue gun manufacturers for the damage their guns cause, which is very likely to be repealed in the near future - but in literally every other industry this happens all the goddamned time. Car manufacturers are sued constantly, as are the manufacturers of tools and appliances, home builders, makers of factory equipment, and even the companies that make the factories and power plants themselves.

I am just... shocked. America is rife with manufacturers getting sued for the use and misuse of their products, including their downstream modification by their users, on literally a daily basis. The entire plaintiff's bar is based around this. There is a massive, multibillion - and not single billions, tens of billions - industry around the diligence behind product testing, the insurance against lawsuits in products liabilities, and the lawsuits themselves, all targeted at domestic and foreign manufacturers of everything ranging from paperclips to airplanes. I literally - literally - have a dear friend who makes his living suing aircraft and aircraft component manufacturers for products liability resulting from aviation disasters. I literally have another colleague who had a rich career of representing class action plaintiffs in everything from malfunctioning car parts to injuries caused by pharmaceuticals.

What planet do you live on?

Edit: please note that manufacturer liability also applies to foreseeable post-sale modifications: http://www.cassiday.com/maa-dri-productliability/

This is America. You can sue people for shit.

Chill. None of that rant applies, because product liability doesn't extend to aftermarket modifications made by the user.
There's not a problem with wreaking havoc on other communications precisely because of the FCC's tight regulation on such things.
It seems to me that transmitter chipsets should work with an optional resister/register that is hard-wired to the market.. in this way the device firmware won't be able to utilize the antenna out of band, or at least the drivers should/could use this as a guide, and with most device drivers of this type being included as closed/source blobs, it would be less of an issue while allowing for userspace mods like dd-wrt, open-wrt and tomato to continue working.

edit: Maybe having a dip switch panel under the cover, so it could be user modifyable, but not the "default" for a region.

So they changed the language, and the new language is

> Describe, if the device permits third-party software or firmware installation, what mechanisms are provided by the manufacturer to permit integration of such functions while ensuring that the RF parameters of the device cannot be operated outside its authorization for operation in the US. In the description include what controls and/or agreements are in place with providers of third-party functionality to ensure the devices’ underlying RF parameters are unchanged and how the manufacturer verifies the functionality.

Hardware locking to correct frequencies would satisfy this requirement. But it also sounds like getting in touch with the authors of common third-party firmwares, and getting them to agree to stay within FCC might suffice? That isn't totally clear, but it seems like that would be the ideal: hardware manufacturers some risk of power users reprogramming their radios incorrectly, but keep an eye on things so no one publishes software that leads people into doing it by accident or makes it too easy.

It's a step in the right direction. The concern I have is that "disabling" the ability to use 3rd party firmware is still the primary means of compliance which is prima facie accepted, whereas if you don't disable, then you have to make the case for why you comply, including coordinating with random 3rd parties and FCC may decide you haven't done enough. Are manufacturers going to take this risk?

Ideally for a manufacturer to take the stance that they comply through disabling 3rd party firmware updates (versus the preferred method of... what exactly?) they should have to work harder than the alternative, but at least it should be an equally "certain" process and outcome. That shifts the calculus of a risk adverse company deciding how to comply.

While they aren't banning DD-WRT, they are creating restrictions for manufacturers. The easiest way for a manufacturer to meet the new rules is simply to not allow flashing third-party software.

Even if they don't intend to ban DD-WRT, their rules may indirectly eliminate consumer ability to use it.