[HN Gopher] FCC Bans Authorizations for Devices That Pose Nation...
___________________________________________________________________
FCC Bans Authorizations for Devices That Pose National Security
Threat
Author : terramex
Score : 93 points
Date : 2022-11-26 20:01 UTC (2 hours ago)
(HTM) web link (www.fcc.gov)
(TXT) w3m dump (www.fcc.gov)
| reversethread wrote:
| In reality, Chinese manufactures will just ignore FCC licensing
| requirements. A good amount of cheap Chinese electronics on
| Amazon are already unlicensed, so I doubt any new changes will
| affect them. Online marketplaces like Amazon really need to crack
| down on products and make sure they are properly licensed.
| CoastalCoder wrote:
| Perhaps another approach is FCC enforcement against Amazon.
| dylan604 wrote:
| at some point, knowingly selling banned equipment should
| bring down some form of punishment to be sure. it just seems
| that the gov't is scarred of public outcry for going after
| amazon and its ilk. it's like they don't want to spill the
| apple cart when the apple market is in "turmoil"?
| reversethread wrote:
| Not to mention Amazon's lobbying efforts.
| dylan604 wrote:
| didn't even consider Amazon actively trying to protect
| their front like that, but of course they would.
|
| i still weep for the Citizens United decision
| jauer wrote:
| and that's fine in the scheme of things. Random one-off imports
| by researchers or hobbyists via AliExpress? NBD.
|
| Deployments at-scale where vendor support engineers _could
| theoretically_ use cellular gear for passive collection? Major
| concern.
|
| Hytera being used for commercial 2-way radio? Similar concerns
| on the repeater side, not to mention questions about encryption
| quality if they are used by governments.
|
| You have to name the vendor for commercial 2-way radio
| licenses, for USDA RUS funding, etc. Lying on those forms
| brings far worse penalties than what a random individual buying
| a Hytera DMR for ham use off Amazon would face.
|
| Hikvision is the odd name here. AFAIK they do not make cellular
| handsets or base stations and were already prohibited from
| being used on government contracts.
| noasaservice wrote:
| Regarding Hikvision: I have a wide assortment of radio gear,
| and found cameras in our trailer park running on channel 12
| and 13 unencrypted Hikvision ip cams.
| phpisthebest wrote:
| I would rather Amazon focus on elimination of Counterfeits and
| Fraud, not enforcement of FCC protectionism
| toss1 wrote:
| It _IS_ a fraud and a counterfeit to illegally sell a device
| without a proper FCC license. They are either selling the
| device with a license ID for a different device (Counterfeit)
| or selling it without any license (Fraud).
|
| Either way, it certainly has not gone through the required
| tests for not producing unacceptable levels of interference,
| and so could at the very least create problems in your
| environment and other devices.
| azinman2 wrote:
| Why does this have to be either/or?
| dylan604 wrote:
| well, yes and no. Amazon most definitely has a
| counterfeit/stolen goods problem that they are deliberately
| (from outside perspectives) not doing anything about.
| however, if a "legit" vendor is selling devices that does not
| meet local regulations and it is known by the seller this is
| true, then the seller has blame as well.
| bagels wrote:
| Worse than unlicensed, they just lie and say they have
| certifications that they don't.
| [deleted]
| fnordpiglet wrote:
| """
|
| The Covered List (which lists both equipment and services)
| currently includes communications equipment produced by Huawei
| Technologies, ZTE Corporation, Hytera Communications, Hangzhou
| Hikvision Digital Technology, and Dahua Technology (and their
| subsidiaries and affiliates).
|
| """
| runlevel1 wrote:
| Link to the list: https://www.fcc.gov/supplychain/coveredlist
| [deleted]
| jasonhansel wrote:
| Is it just me, or does the full "report and order" spend way,
| _way_ too much time responding to the comments of various telecom
| companies and trade groups? The tone seems far too deferential,
| as if they 're apologizing to the industry they're trying to
| regulate.
| readme wrote:
| in most cases, regulation in the US is basically a mouse trying
| to "regulate" the dinner of a lion by sneaking away a morsel or
| two
| bilsbie wrote:
| More like protecting the lions dinner from other mice.
| chefandy wrote:
| Or, depending on the leadership, a lion overseeing prey
| protection policy.
| cplusplusfellow wrote:
| freshpots wrote:
| Don't turn this place into 4chan.
| [deleted]
| TechBro8615 wrote:
| This definitely won't be abused.
|
| Is Starlink a national security threat? What about a hardware
| wallet?
| sieabahlpark wrote:
| enkid wrote:
| Does a hardware wallet actually need FCC authorization?
| mynameisvlad wrote:
| Ledger wallets connect to your phone over Bluetooth, so they
| would ostensibly need the FCC to ok them.
| enkid wrote:
| Would the FCC ok the entire wallet or just the Bluetooth
| chip it's using?
| [deleted]
| nimbius wrote:
| the video surveillance bans all seem to target billion dollar
| companies, so its safe to say this is just your friendly
| lobbyists at ring, nest, and amazon getting an early christmas
| gift. the security argument is pretty flimsy considering how many
| american companies are just as bad (looking at you nest)
|
| the usual suspect, huawei, has been on americas shitlist ever
| since they beat US telcos to market with 5g. their cellphones all
| meet or exceed the build quality of a samsung or iphone and to
| date america has failed to produce any real evidence of a
| security issue except 'china scary.'
|
| toward the end of the presser its refreshing to see an
| octogrnarian made sure to remind us all these companies are to
| some extent "government funded" as if americas subsidies to auto
| and airlines are somehow any different. "government owned" also
| gets condescendingly asserted as if the reader isnt familiar with
| how a planned economy under post soviet marxist theory works.
|
| ever since the net neutrality fiasco ive lost a lot of faith in
| the fcc. largely a toothless organization of corporate business
| interests.
| paganel wrote:
| > has been on americas shitlist ever since they beat US telcos
| to market with 5g
|
| Serious question, have the the likes of Ericsson and Nokia
| managed to catch up with Huawei when it comes to 5G telco
| equipment?
|
| Last I dived into this was about 2-3 years ago, when that
| Huawei executive got arrested in Canada or some such, and if I
| remember right the discourse back then was that Huawei's 5G
| equipment was both cheaper and better compared to what the
| Western companies were able to provide at the time.
| UberFly wrote:
| Not saying there isn't lobbying efforts underway, but trying to
| limit Chinese-based video and audio equipment that's
| unaccountable to US laws or oversite from government locations
| seems like a reasonable thing to do. Dahua and Hikvision have a
| long history of backdoors. Many of these things chat like crazy
| to servers in China if not firewalled properly.
| formerly_proven wrote:
| I'm not sure how to tell you this but if your CCTV cameras
| can get to the internet you've done so many things so
| completely wrong that you just ought to stop doing whatever
| it is you're doing.
|
| Though the argument is more fair in relation to their DVR/VMS
| products, but it's difficult to see a reason to use those as
| better alternatives running on your own hardware exist.
|
| As a gov't installation your worries are different of course.
| I'd worry about, say, a specialized firmware finding its way
| to me, which can be commanded to disrupt surveillance in
| response to QR codes or other visual or auditory signals.
| yourapostasy wrote:
| _> "government owned" also gets condescendingly asserted as if
| the reader isnt familiar with how a planned economy under post
| soviet marxist theory works._
|
| Most readers of the article can be fairly assumed to know this.
| Most consumers (including b2b) outside of various tech and
| policy circles cannot, and the policy is aimed at short
| circuiting the banned functionally SOE's from embedding
| themselves into the communications infrastructure. Gathering
| intelligence from automotive and aerospace dominance yields
| substantially less actionable information than from dominance
| of communications infrastructure.
|
| The subsidies you are comparing are fundamentally,
| qualitatively different.
|
| It isn't just the FCC. The entire US government at all levels
| down to local is captured by corporate business interests.
| Doesn't mean every policy decision solely caters to those
| interests and ignore national defense interests. Also doesn't
| mean the US intelligence apparatus isn't in bed with Western
| communications technology manufacturers.
| roperj wrote:
| This might make some sense if you knew what the hell you were
| talking about, but Hikvision and Dahua are not at all in the
| same market segments as Nest and Ring - and this does not apply
| to the consumer market.
| phpisthebest wrote:
| >lobbyists at ring, nest, and amazon getting an early christmas
| gift
|
| This has no impact on sales to the consumer market for Video,
| the covered list [1] limits the ban to "the extent it is used
| for the purpose of public safety, security of government
| facilities"
|
| Ring, Nest etc are used for personal home and small business
| not likely covered under that ban, and the people buying
| Hikvision as an example most likely are not the target consumer
| of Ring devices. Hikvision is / was popular is commercial
| segment of professionally installed products, I know of zero
| professional installers doing commercial deployments of Ring.
| Companies like Axis however do get a boost as Axis is often
| many times more expensive than Hikvision
|
| [1]https://www.fcc.gov/supplychain/coveredlist
| cscurmudgeon wrote:
| > the video surveillance bans all seem to target billion dollar
| companies, so its safe to say this is just your friendly
| lobbyists at ring, nest, and amazon getting an early christmas
| gift
|
| How does that logically follow? Can billion dollar companies
| not be security threats?
|
| > the usual suspect, huawei, has been on americas shitlist ever
| since they beat US telcos to market with 5g. their cellphones
| all meet or exceed the build quality of a samsung or iphone and
| to date america has failed to produce any real evidence of a
| security issue except 'china scary.'
|
| No one and not even Huawei believes that.
|
| By your logic, you admit China has banned all these US websites
| as they are afraid of competition and not any other reason?
|
| https://en.wikipedia.org/wiki/List_of_websites_blocked_in_ma...
| largehotcoffee wrote:
| Good. https://www.wsj.com/articles/huawei-technicians-helped-
| afric...
| [deleted]
| emodendroket wrote:
| Which telco doesn't comply with requests from the government of
| the country they operate in?
| myself248 wrote:
| About time. We need open and verifiable firmware, at the very
| least, to be able to trust anything.
|
| Now if only they'd turn this lens on American-made devices which
| are likewise opaque, insecure, and likely to be weaponized
| against us as soon as security updates stop....
| comboy wrote:
| > We need open and verifiable firmware, at the very least, to
| be able to trust anything.
|
| How? Even ignoring ASICs, I just don't see how it's possible.
| Even if you had no binary blobs anywhere (we are already in the
| wonderland), with process for turning source to binary, you
| need to trust compiler, cpu, flashing hardware and software and
| the whole lot of other things.
|
| And that's all ignoring the fact that hiding bad stuff in open
| source is many orders of magnitude cheaper than finding it.
|
| I don't think we have even a theoretical plan for fixing
| computer security, it just becomes ML bots arena.
| lrvick wrote:
| You need deterministic builds of firmware artifacts proven to
| correspond to source code by multiple parties. You also need
| hardware purpose made to be user auditable.
|
| See: https://media.ccc.de/v/36c3-10690-open_source_is_insuffi
| cien...
| nonrandomstring wrote:
| > I don't think we have even a theoretical plan for fixing
| computer security.
|
| I think we do, but the implications of it are terrifying,
| overwhelming and just make people shrug and say "That'll
| never happen".
|
| How I see it there are two sides.
|
| Those who want a functioning technological society with all
| the benefits we believe in as hackers - transport, medicine,
| communications, planning... For that we'll have no choice but
| to make computers secure.
|
| That side is "society".
|
| In the other corner are those who do not want computers to be
| secure (despite what they say). They benefit from insecurity.
| These are; - Criminals. -
| Governments. - Industry.
|
| They are not aligned and fight amongst themselves. Only the
| criminals are honest in that they don't pretend to want
| secure computing. Governments and industry want secure
| computing for themselves, but not for the others, or for
| society.
|
| For secure computing to ever happen three well organised,
| well funded and determined groups would have to lose against
| a disorganised, distributed, and poor remainder.
|
| There are two things on our side to give us hope;
|
| - That the enemy of my enemy is a temporary friend.
|
| - Mathematics.
| AnthonyMouse wrote:
| > with process for turning source to binary, you need to
| trust compiler, cpu, flashing hardware and software and the
| whole lot of other things.
|
| "We should not solve this solvable problem because other
| problems exist" is false.
|
| Meanwhile the other problems have solutions, like
| reproducible builds, so that the attacker not only has to
| compromise your compiler/CPU/hardware, they also have to
| compromise any others the output result gets compared by, or
| one of them will differ and the attack will be detected.
| TEP_Kim_Il_Sung wrote:
| That's not how this will be applied. Instead, I think, they
| will go after devices that don't contain government backdoors.
| ouEight12 wrote:
| > don't contain <the correct> government backdoors.
|
| Fixed that for you. :/
| 2OEH8eoCRo0 wrote:
| Which devices have government backdoors?
| jbverschoor wrote:
| Cisco iirc
| 2OEH8eoCRo0 wrote:
| Source?
| sschueller wrote:
| See CVE: https://www.cvedetails.com/vulnerability-
| list.php?vendor_id=...
|
| At some point you have to think these are deliberate.
| TedDoesntTalk wrote:
| Like the deliberate ones from TP-Link?
| 2OEH8eoCRo0 wrote:
| Extraordinary claims require extraordinary evidence. All
| I see are a lot of CVEs.
| fbdab103 wrote:
| If not intentional, it at least points to a culture that
| cannot be trusted with producing secure devices.
| freshpots wrote:
| Does it though? Are you a SWE?
| fbdab103 wrote:
| Given the number of times that a hard-coded password has
| been distributed on Cisco gear, yeah, I think it points
| to a cultural failure.
| croes wrote:
| https://www.tomshardware.com/news/cisco-backdoor-
| hardcoded-a...
| notrealyme123 wrote:
| Sounds like it: https://tools.cisco.com/security/center/c
| ontent/CiscoSecurit...
| glitchc wrote:
| Almost all of them?
| _jal wrote:
| Aside from Cisco, Juniper has not exactly been forthcoming
| about backdoors:
|
| https://www.wired.com/2016/01/new-discovery-around-
| juniper-b...
|
| If my job were to ensure backdoor access to everything I
| could, at least to get started I'd sort a list of hardware
| vendors by marketshare.
| [deleted]
| woodruffw wrote:
| Based on the actual news release[1], this is the FCC's formal
| statement of rules for compliance with the Secure Equipment Act
| of 2021[2].
|
| [1]: https://docs.fcc.gov/public/attachments/DOC-389524A1.pdf
|
| [2]: https://www.congress.gov/bill/117th-congress/house-bill/3919
| kryogen1c wrote:
| Thanks for connecting the dots, I was doing this research
| before I found your comment. I knew I had searched for covered
| telecom equipment last year.
|
| Also, I didn't know the covered list was being updated. Does
| anyone know what AO Kaspersky is? Is that the official
| corporate name for the anti-virus Kaspersky?
| woodruffw wrote:
| Yeah, I believe it's their corporate name. Their website
| lists their copyright as "AO Kaspersky Lab."
| [deleted]
| libpcap wrote:
| About time!
| [deleted]
| threatofrain wrote:
| https://news.ycombinator.com/item?id=33753442
___________________________________________________________________
(page generated 2022-11-26 23:00 UTC)