Re: DFSG violations in Lenny: Summarizing the choices

To: Thomas Bushnell BSG <tb@becket.net>
Cc: David Given <dg@cowlark.com>, debian-devel@lists.debian.org
Subject: Re: DFSG violations in Lenny: Summarizing the choices
From: Theodore Tso <tytso@MIT.EDU>
Date: Sat, 8 Nov 2008 18:55:54 -0500
Message-id: <[🔎] 20081108235554.GE13108@mit.edu>
In-reply-to: <[🔎] 1226186984.4355.90.camel@localhost>
References: <[🔎] 20081108191147.GA10678@mit.edu> <[🔎] 1226186984.4355.90.camel@localhost>

On Sat, Nov 08, 2008 at 03:29:44PM -0800, Thomas Bushnell BSG wrote:
> On Sat, 2008-11-08 at 14:11 -0500, Theodore Tso wrote:
> > There are corporate lawyers who are very much afraid that the FCC
> > could, if they were alerted to the fact that someone had figured out
> > how to reverse engineer the HAL and/or the firmware to cause their
> > WiFi unit to become a "super radio" that could transmit on any
> > frequency, that the FCC could prohibit the *hardware* from being sold
> > anywhere in the US.  
> 
> I've heard this claim before.  Can you substantiate it in some way?

Private conversations from a representative of a company who genuinely
whats to do the right thing, but who had to battle the lawyers who
were afraid of losing millions and millions of dollars.  I'm honor
bound not release the name of the engineer(s) and companies involved,
so you can take that as you will.

> It seems to me that, if this is really true, then the hardware
> manufacturers have been lying to the FCC for years, claiming that the
> user cannot reprogram the card, without explaining that, in fact, it's
> just that users may not know how to, but that they can do so without any
> hardware mucking.

The FCC understands that you can't make it *impossible*.  Even before
software radios, it was understood that someone posessing the skills,
say, of an amateur radio operator might be able to add a resistor or
capacitor in parallel with an RC/LC tuning circuit, and modify the
length of the antenna, etc., thus making a radio transmit outside of
the band which it was type-certified to operate on.  A radio
manufacturer is not required to dunk the entire radio in epoxy, and
make it utterly *impossible* for someone to modify the radio; on the
other hand, if all it takes is clipping a jumper or cutting a trace on
a board, the FCC does have the power to order that the radio not be
sold in the US.

So just as the GPL has never been tested on point about whether or not
a program which dynamically links against a GPL'ed library would be
infected by the GPL, and just as the FSF has appropriately pointed out
that the court system does not operate algorithmically, but can make
decisions based on intent --- similarly, the FCC has not ruled on
point on implementations that rely on software radios.  Most lawyers
seem to agree that that documenting how to modify the firmware is
roughly equivalent to providing a trace that if cut, would allow
scanners to listen in on cell phone frequences, and then "leaking"
tech sheets that would allow people to modify scanners to do something
which the US Congress (rightly or wrongly) has declared to be illegal.

There seems to be some disagreement about whether "security by
obscurity" is sufficient for the FCC, or whether you have to implement
hard crpyographic signing to prevent non-vendor-approved firmware from
being used, but that's because there's no precedent.  Given that it
seems pretty clear that the FCC has never penalized a radio
manufacturer if a skilled Ham Radio operator or Electrical Engineer
reversed engineered an analog circuit, and then modified it to
transmit on a band that the equipment wasn't type-certified, one could
argue that "security by obsecurity" is considered permissible by the
FCC.  But until there's precedent, we won't know for sure --- just as
we won't know whether or not a program which dynamically links against
a GPL library is really bound by the GPL until a court rules on point
on the issue --- and then we'll only know in that legal jurisdiction.

> Regardless, the DFSG doesn't say anything about "unless the FCC has an
> annoying rule".  We don't distribute non-free software in Debian.  And
> that's not some sort of choice we might make--it's a a choice we have
> already made.

And as I said, I think we should let the DFSG hard-liners win.  Let's
yank all of the binaries that require a firmware, and release Lenny
as-is.  If that causes some users switch to some fork that actually
has a kernel that works for them, given their hardware, or said users
switch to Ubuntu, then so be it.  At least we'll stop flaming about
the issue.

      	      	    	       	       	     	 - Ted

Reply to:

Follow-Ups:
- Re: DFSG violations in Lenny: Summarizing the choices
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: DFSG violations in Lenny: Summarizing the choices
  - From: Josselin Mouette <joss@debian.org>

References:
- DFSG violations in Lenny: Summarizing the choices
  - From: Theodore Tso <tytso@mit.edu>
- Re: DFSG violations in Lenny: Summarizing the choices
  - From: Thomas Bushnell BSG <tb@becket.net>

Prev by Date: Re: Leverage in licensing discussions
Next by Date: Re: DFSG violations in Lenny: Summarizing the choices
Previous by thread: Re: DFSG violations in Lenny: Summarizing the choices
Next by thread: Re: DFSG violations in Lenny: Summarizing the choices
Index(es):
- Date
- Thread