Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] "Plan for More Secure, Reliable Wi-Fi Routers"


Greg Rundlett

On Wed, Oct 14, 2015 at 9:35 AM, Stephen Ronan <sronan at> wrote:

> ---------- Forwarded message ----------
> Date: Wed, 14 Oct 2015 08:51:43 -0400
> From: David Farber <farber at>
> To: ip <ip at>
> Global Internet Experts Reveal Plan for More Secure, Reliable Wi-Fi
> Routers - and Internet Letter to FCC Requests Mandates for Securing and
> Updating Wi-Fi Devices
> October 14, 2015 06:00 AM Eastern Daylight Time
> WASHINGTON--(BUSINESS WIRE)--In a letter submitted to the Federal
> Communications Commission (FCC), Dave Tht, co-founder of the Bufferbloat
> Project, and Dr. Vinton Cerf, co-inventor of the Internet, along with more
> than 260 other global network and cybersecurity experts, responded to the
> newly proposed FCC rules laid out in ET Docket No. 15-170 for RF Devices
> such as Wi-Fi routers by unveiling a new approach to improve the security
> of these devices and ensure a faster, better, and more secure Internet.
> "The recommendations in this document would go a long way toward ensuring
> the existence of a highly performant, secure, and regulation-compliant
> Internet far into the future."
> The letter was filed during the agency.s public comment period on this
> issue.
> Dave Farber, former Chief Technologist of the FCC, supports the new
> approach, stating, "Today there are hundreds of millions of Wi-Fi routers
> in homes and offices around the globe with severe software flaws that can
> be easily exploited by criminals. While we agree with the FCC that the
> rules governing these devices must be updated, we believe the proposed
> rules laid out by the agency lack critical accountability for the device
> manufacturers."
> "We can't afford to let any part of the Internet's infrastructure rot in
> place. We made this proposal because the wireless spectrum must not only be
> allocated responsibly, but also used responsibly. By requiring a bare
> minimum of openness in the technology at the edge of the Internet, we'll
> ensure that any mistakes or cheating are caught early and fixed fast," said
> Dr. Vint Cerf, a co-inventor of the Internet and also Senior Vice President
> and Chief Internet Evangelist at Google.
> To improve accountability significantly while keeping the original intent
> of the regulation, the signatories, who also included Dr. Paul Vixie, Dr.
> Sascha Meinrath, Dr. Nick Feamster, Jim Gettys, Dr. David P. Reed, Dr.
> Andreas Petlund, Jeff Osborn, and other well-known industry experts,
> recommend the FCC mandate the following actions:
> 1. Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio
> must make public the full and maintained source code for the device driver
> and radio firmware in order to maintain FCC compliance. The source code
> should be in a buildable, change-controlled source code repository on the
> Internet, available for review and improvement by all.
> 2. The vendor must assure that secure update of firmware be working at
> time of shipment, and that update streams be under ultimate control of the
> owner of the equipment. Problems with compliance can then be fixed going
> forward by the person legally responsible for the router being in
> compliance.
> 3. The vendor must supply a continuous stream of source and binary updates
> that must respond to regulatory transgressions and Common Vulnerability and
> Exposure reports (CVEs) within 45 days of disclosure, for the warranted
> lifetime of the product, or until five years after the last customer
> shipment, whichever is longer.
> 4. Failure to comply with these regulations should result in FCC
> decertification of the existing product and, in severe cases, bar new
> products from that vendor from being considered for certification.
> 5. Additionally, we ask the FCC to review and rescind any rules for
> anything that conflicts with open source best practices, produce
> unmaintainable hardware, or cause vendors to believe they must only ship
> undocumented .binary blobs. of compiled code or use lockdown mechanisms
> that forbid user patching. This is an ongoing problem for the Internet
> community committed to best practice change control and error correction on
> safety-critical systems.
> "Our fight for a free and open Internet began long before the invention
> and wide use of Wi-Fi home routers, whose manufacturers chose to base on
> open software. We are at an important inflection point in the history of
> the Internet. The FCC has an opportunity to take positive action that will
> increase the security and performance not only of these devices, but also
> influence how manufacturers develop secure Internet of Things while
> preserving an open Internet," said Jim Gettys, Chairman, Bufferbloat
> Project.
> "Networking research and innovation fundamentally depend on the ability to
> modify firmware on CPE and deploy it in real-world settings in home
> networks," said Dr. Nick Feamster, Acting Director of Center for
> Information Technology Policy at Princeton University.
> "The Internet is now effectively a battleground with end-users, our
> employers, our schools and our vendors on one side, and organized crime and
> nation-states on the other side. Our home gateways are often repurposed by
> our adversaries into weapons against us because these small, cheap plastic
> boxes are unpatchable, abandoned by their makers, and completely opaque.
> These devices are currently the Internet's public enemy #1. The plan
> proposed would significantly decontaminate our technology supply chain,"
> said Dr. Paul Vixie, CEO of Farsight Security, Inc.
> "The recommendations in this document would go a long way toward ensuring
> the existence of a highly performant, secure, and regulation-compliant
> Internet far into the future," said Jonathan Corbet, Executive Editor,
> "As the recent revelations about the 'Moon Worm,' 'DNSchanger,' and
> 'Misfortune Cookie' and now the Volkswagen scandal illustrate, secret,
> locked-down firmware represents a clear and present danger to the security
> of the Internet," said Ted Lemon, recent Area Director at the IETF.
> "If we raise the bar for firmware code quality, maintenance, and upgrades,
> we can finish beating bufferbloat, especially on Wi-Fi, deploy IPv6 faster,
> improve security, and build a vastly better Internet, for everybody," said
> Dave Tht, Architect, CeroWrt, co-founder, Bufferbloat Project.
> If you care about this important issue and agree with our approach, please
> contact your local Congressional representative and share our letter with
> them. For media interview requests or other inquiries, please contact
> media at
> About the Bufferbloat Project
> The Bufferbloat Project is an international coalition of individuals, many
> who were instrumental in the development of the Internet, and several with
> Wi-Fi, deeply concerned about the future health, speed, and safety of the
> edge of the Internet. In operation for 5 years, and working primarily on
> third-party firmware, it has pioneered new algorithms, boosted safety and
> security, helped develop new standards, and worked to make as much of this
> new theory and code available as possible for all to use. For more
> information, please visit
> _______________________________________________
> Discuss mailing list
> Discuss at

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /