[Discuss] "Plan for More Secure, Reliable Wi-Fi Routers"

[greg at freephile.com (Greg Rundlett (freephile))]

Fantastic!

Greg Rundlett
https://eQuality-Tech.com
https://freephile.org

On Wed, Oct 14, 2015 at 9:35 AM, Stephen Ronan <sronan at panix.com> wrote:

>
> ---------- Forwarded message ----------
> Date: Wed, 14 Oct 2015 08:51:43 -0400
> From: David Farber <farber at gmail.com>
> To: ip <ip at listbox.com>
>
> Global Internet Experts Reveal Plan for More Secure, Reliable Wi-Fi
> Routers - and Internet Letter to FCC Requests Mandates for Securing and
> Updating Wi-Fi Devices
>
> October 14, 2015 06:00 AM Eastern Daylight Time
>
> WASHINGTON--(BUSINESS WIRE)--In a letter submitted to the Federal
> Communications Commission (FCC), Dave Tht, co-founder of the Bufferbloat
> Project, and Dr. Vinton Cerf, co-inventor of the Internet, along with more
> than 260 other global network and cybersecurity experts, responded to the
> newly proposed FCC rules laid out in ET Docket No. 15-170 for RF Devices
> such as Wi-Fi routers by unveiling a new approach to improve the security
> of these devices and ensure a faster, better, and more secure Internet.
>
> "The recommendations in this document would go a long way toward ensuring
> the existence of a highly performant, secure, and regulation-compliant
> Internet far into the future."
>
> The letter was filed during the agency.s public comment period on this
> issue.
>
> Dave Farber, former Chief Technologist of the FCC, supports the new
> approach, stating, "Today there are hundreds of millions of Wi-Fi routers
> in homes and offices around the globe with severe software flaws that can
> be easily exploited by criminals. While we agree with the FCC that the
> rules governing these devices must be updated, we believe the proposed
> rules laid out by the agency lack critical accountability for the device
> manufacturers."
>
> "We can't afford to let any part of the Internet's infrastructure rot in
> place. We made this proposal because the wireless spectrum must not only be
> allocated responsibly, but also used responsibly. By requiring a bare
> minimum of openness in the technology at the edge of the Internet, we'll
> ensure that any mistakes or cheating are caught early and fixed fast," said
> Dr. Vint Cerf, a co-inventor of the Internet and also Senior Vice President
> and Chief Internet Evangelist at Google.
>
> To improve accountability significantly while keeping the original intent
> of the regulation, the signatories, who also included Dr. Paul Vixie, Dr.
> Sascha Meinrath, Dr. Nick Feamster, Jim Gettys, Dr. David P. Reed, Dr.
> Andreas Petlund, Jeff Osborn, and other well-known industry experts,
> recommend the FCC mandate the following actions:
>
> 1. Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio
> must make public the full and maintained source code for the device driver
> and radio firmware in order to maintain FCC compliance. The source code
> should be in a buildable, change-controlled source code repository on the
> Internet, available for review and improvement by all.
>
> 2. The vendor must assure that secure update of firmware be working at
> time of shipment, and that update streams be under ultimate control of the
> owner of the equipment. Problems with compliance can then be fixed going
> forward by the person legally responsible for the router being in
> compliance.
>
> 3. The vendor must supply a continuous stream of source and binary updates
> that must respond to regulatory transgressions and Common Vulnerability and
> Exposure reports (CVEs) within 45 days of disclosure, for the warranted
> lifetime of the product, or until five years after the last customer
> shipment, whichever is longer.
>
> 4. Failure to comply with these regulations should result in FCC
> decertification of the existing product and, in severe cases, bar new
> products from that vendor from being considered for certification.
>
> 5. Additionally, we ask the FCC to review and rescind any rules for
> anything that conflicts with open source best practices, produce
> unmaintainable hardware, or cause vendors to believe they must only ship
> undocumented .binary blobs. of compiled code or use lockdown mechanisms
> that forbid user patching. This is an ongoing problem for the Internet
> community committed to best practice change control and error correction on
> safety-critical systems.
>
>
> "Our fight for a free and open Internet began long before the invention
> and wide use of Wi-Fi home routers, whose manufacturers chose to base on
> open software. We are at an important inflection point in the history of
> the Internet. The FCC has an opportunity to take positive action that will
> increase the security and performance not only of these devices, but also
> influence how manufacturers develop secure Internet of Things while
> preserving an open Internet," said Jim Gettys, Chairman, Bufferbloat
> Project.
>
> "Networking research and innovation fundamentally depend on the ability to
> modify firmware on CPE and deploy it in real-world settings in home
> networks," said Dr. Nick Feamster, Acting Director of Center for
> Information Technology Policy at Princeton University.
>
> "The Internet is now effectively a battleground with end-users, our
> employers, our schools and our vendors on one side, and organized crime and
> nation-states on the other side. Our home gateways are often repurposed by
> our adversaries into weapons against us because these small, cheap plastic
> boxes are unpatchable, abandoned by their makers, and completely opaque.
> These devices are currently the Internet's public enemy #1. The plan
> proposed would significantly decontaminate our technology supply chain,"
> said Dr. Paul Vixie, CEO of Farsight Security, Inc.
>
> "The recommendations in this document would go a long way toward ensuring
> the existence of a highly performant, secure, and regulation-compliant
> Internet far into the future," said Jonathan Corbet, Executive Editor,
> LWN.net.
>
> "As the recent revelations about the 'Moon Worm,' 'DNSchanger,' and
> 'Misfortune Cookie' and now the Volkswagen scandal illustrate, secret,
> locked-down firmware represents a clear and present danger to the security
> of the Internet," said Ted Lemon, recent Area Director at the IETF.
>
> "If we raise the bar for firmware code quality, maintenance, and upgrades,
> we can finish beating bufferbloat, especially on Wi-Fi, deploy IPv6 faster,
> improve security, and build a vastly better Internet, for everybody," said
> Dave Tht, Architect, CeroWrt, co-founder, Bufferbloat Project.
>
> If you care about this important issue and agree with our approach, please
> contact your local Congressional representative and share our letter with
> them. For media interview requests or other inquiries, please contact
> media at bufferbloat.net.
>
> About the Bufferbloat Project
>
> The Bufferbloat Project is an international coalition of individuals, many
> who were instrumental in the development of the Internet, and several with
> Wi-Fi, deeply concerned about the future health, speed, and safety of the
> edge of the Internet. In operation for 5 years, and working primarily on
> third-party firmware, it has pioneered new algorithms, boosted safety and
> security, helped develop new standards, and worked to make as much of this
> new theory and code available as possible for all to use. For more
> information, please visit http://www.bufferbloat.net.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>