[Battlemesh] Forced firmware lockdown in EU already passed

Henning Rogge hrogge at gmail.com
Mon Sep 7 16:28:26 CEST 2015 

*sarcasmmodeon*

Oh my God, we cannot do this! This would enable EVIL hackers to penetrate
the thick firewalls and security mechanisms of our firmware and let it do
horrible things! Firmware must be secret!

*sarcasmmodeoff*

I would assume most companies would be ashamed about showing their firmware
source code. ;)

Henning

On Mon, Sep 7, 2015 at 4:24 PM, Dave Taht <dave.taht at gmail.com> wrote:

> to me the simplest and best requirement the eu and us could have is
> that the firmware and driver source be fully available and audited.
> This, rather than a "promise of compliance" by the fly-by-night
> vendor, would ensure that the regulations be adhered to. The amount of
> actual code we are talking about is very, very small, compared to the
> rest of the system.
>
> On Mon, Sep 7, 2015 at 7:20 AM, Laurent GUERBY <laurent at guerby.net> wrote:
> > On Sun, 2015-09-06 at 10:50 -0700, Mitar wrote:
> >> Hi!
> >>
> >> > This is not that clear cut in EU: enforcement of Article 3 (3) list
> >> > "essential requirements" is delegated to proposals of which equipment
> >> > will affected by the EU Commission, and these proposals can be blocked
> >> > either by the council or the parliament. Also in the preamble (19)
> >> > states clearly that software verification should not be abused to
> >> > prevent third party software. See below for quotes.
> >>
> >> But preamble is not a directive, no? And directive does not contain any
> >> such language.
> >>
> >> Also, how do you see in practice that both Article 3 (3) and preamble
> >> (19) would be possible? The only way I see it for a manufacturer to do
> >> that is to accept firmware images signed by a key from EU Commission.
> >> And then it leaves to EU Commission to decide which 3rd party software
> >> is still compliant.
> >
> >> The other options are just to prevent 3rd party firmware images. Or to
> >> require binary blob drivers for WiFi. None of those we really want. So
> >> how exactly do you see that the wording in current directive is not
> >> problematic? How would you in an ideal world implement this in practice
> >> for WiFi devices? If I understand you correctly, what you are saying is
> >> that we should hope this applies only to SDRs and not WiFi?
> >
> > Hi,
> >
> > First the EU commission could just decide that the list of devices
> > subjected to (i) will stay empty, which it is until the commission
> > writes a list of devices subjected to (i) and that list is not
> > opposed by council nor parliament.
> >
> > It could say that "compliance" is automatically "demonstrated" for free
> > software firmware with an up to date regulatory domain file. File which
> > could be provided in open format in open data at the EU level somewhere.
> >
> > It might decide to waive the requirement for all SDR type devices
> > (pretty hard to have a SDR market if you don't do that).
> >
> > Same for devices unable to reach more than 1 Watt conducted power
> > (about all OpenWRT hardware, mos tubiquity does 23-27 dBm conducted).
> >
> > Competition laws are quite strong in the EU, that's why there's
> > preamble (19), a measure killing competition might not be liked
> > by courts in the end.
> >
> > Another thing is that up to now I've never heard about a compliance
> > case linked to free software firmware use (as most proprietary firmware
> > offer the user plenty of ways to bypass local regulations anyway).
> > So the case to ban it is pretty weak.
> >
> > And you can create a powerful radio generator on most frequencies
> > with less than $10 of non radio specific hardware, random URL:
> > http://www.instructables.com/id/The-Ultimate-FM-Transmitter/
> >
> > We just have to make sure that the EU commission and politicians
> > are aware that there are concerned citizens and industry and academia
> > about what the commission will do with Article 3 (3) (i).
> >
> > Sincerely,
> >
> > Laurent
> >
> >
> > _______________________________________________
> > Battlemesh mailing list
> > Battlemesh at ml.ninux.org
> > http://ml.ninux.org/mailman/listinfo/battlemesh
>
>
>
> --
> Dave Täht
> endo is a terrible disease: http://www.gofundme.com/SummerVsEndo
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/battlemesh/attachments/20150907/30d23315/attachment-0001.html>

More information about the Battlemesh mailing list