[HN Gopher] FCC Bans Authorizations for Devices That Pose Nation... ___________________________________________________________________ FCC Bans Authorizations for Devices That Pose National Security Threat Author : terramex Score : 93 points Date : 2022-11-26 20:01 UTC (2 hours ago) (HTM) web link (www.fcc.gov) (TXT) w3m dump (www.fcc.gov) | reversethread wrote: | In reality, Chinese manufactures will just ignore FCC licensing | requirements. A good amount of cheap Chinese electronics on | Amazon are already unlicensed, so I doubt any new changes will | affect them. Online marketplaces like Amazon really need to crack | down on products and make sure they are properly licensed. | CoastalCoder wrote: | Perhaps another approach is FCC enforcement against Amazon. | dylan604 wrote: | at some point, knowingly selling banned equipment should | bring down some form of punishment to be sure. it just seems | that the gov't is scarred of public outcry for going after | amazon and its ilk. it's like they don't want to spill the | apple cart when the apple market is in "turmoil"? | reversethread wrote: | Not to mention Amazon's lobbying efforts. | dylan604 wrote: | didn't even consider Amazon actively trying to protect | their front like that, but of course they would. | | i still weep for the Citizens United decision | jauer wrote: | and that's fine in the scheme of things. Random one-off imports | by researchers or hobbyists via AliExpress? NBD. | | Deployments at-scale where vendor support engineers _could | theoretically_ use cellular gear for passive collection? Major | concern. | | Hytera being used for commercial 2-way radio? Similar concerns | on the repeater side, not to mention questions about encryption | quality if they are used by governments. | | You have to name the vendor for commercial 2-way radio | licenses, for USDA RUS funding, etc. Lying on those forms | brings far worse penalties than what a random individual buying | a Hytera DMR for ham use off Amazon would face. | | Hikvision is the odd name here. AFAIK they do not make cellular | handsets or base stations and were already prohibited from | being used on government contracts. | noasaservice wrote: | Regarding Hikvision: I have a wide assortment of radio gear, | and found cameras in our trailer park running on channel 12 | and 13 unencrypted Hikvision ip cams. | phpisthebest wrote: | I would rather Amazon focus on elimination of Counterfeits and | Fraud, not enforcement of FCC protectionism | toss1 wrote: | It _IS_ a fraud and a counterfeit to illegally sell a device | without a proper FCC license. They are either selling the | device with a license ID for a different device (Counterfeit) | or selling it without any license (Fraud). | | Either way, it certainly has not gone through the required | tests for not producing unacceptable levels of interference, | and so could at the very least create problems in your | environment and other devices. | azinman2 wrote: | Why does this have to be either/or? | dylan604 wrote: | well, yes and no. Amazon most definitely has a | counterfeit/stolen goods problem that they are deliberately | (from outside perspectives) not doing anything about. | however, if a "legit" vendor is selling devices that does not | meet local regulations and it is known by the seller this is | true, then the seller has blame as well. | bagels wrote: | Worse than unlicensed, they just lie and say they have | certifications that they don't. | [deleted] | fnordpiglet wrote: | """ | | The Covered List (which lists both equipment and services) | currently includes communications equipment produced by Huawei | Technologies, ZTE Corporation, Hytera Communications, Hangzhou | Hikvision Digital Technology, and Dahua Technology (and their | subsidiaries and affiliates). | | """ | runlevel1 wrote: | Link to the list: https://www.fcc.gov/supplychain/coveredlist | [deleted] | jasonhansel wrote: | Is it just me, or does the full "report and order" spend way, | _way_ too much time responding to the comments of various telecom | companies and trade groups? The tone seems far too deferential, | as if they 're apologizing to the industry they're trying to | regulate. | readme wrote: | in most cases, regulation in the US is basically a mouse trying | to "regulate" the dinner of a lion by sneaking away a morsel or | two | bilsbie wrote: | More like protecting the lions dinner from other mice. | chefandy wrote: | Or, depending on the leadership, a lion overseeing prey | protection policy. | cplusplusfellow wrote: | freshpots wrote: | Don't turn this place into 4chan. | [deleted] | TechBro8615 wrote: | This definitely won't be abused. | | Is Starlink a national security threat? What about a hardware | wallet? | sieabahlpark wrote: | enkid wrote: | Does a hardware wallet actually need FCC authorization? | mynameisvlad wrote: | Ledger wallets connect to your phone over Bluetooth, so they | would ostensibly need the FCC to ok them. | enkid wrote: | Would the FCC ok the entire wallet or just the Bluetooth | chip it's using? | [deleted] | nimbius wrote: | the video surveillance bans all seem to target billion dollar | companies, so its safe to say this is just your friendly | lobbyists at ring, nest, and amazon getting an early christmas | gift. the security argument is pretty flimsy considering how many | american companies are just as bad (looking at you nest) | | the usual suspect, huawei, has been on americas shitlist ever | since they beat US telcos to market with 5g. their cellphones all | meet or exceed the build quality of a samsung or iphone and to | date america has failed to produce any real evidence of a | security issue except 'china scary.' | | toward the end of the presser its refreshing to see an | octogrnarian made sure to remind us all these companies are to | some extent "government funded" as if americas subsidies to auto | and airlines are somehow any different. "government owned" also | gets condescendingly asserted as if the reader isnt familiar with | how a planned economy under post soviet marxist theory works. | | ever since the net neutrality fiasco ive lost a lot of faith in | the fcc. largely a toothless organization of corporate business | interests. | paganel wrote: | > has been on americas shitlist ever since they beat US telcos | to market with 5g | | Serious question, have the the likes of Ericsson and Nokia | managed to catch up with Huawei when it comes to 5G telco | equipment? | | Last I dived into this was about 2-3 years ago, when that | Huawei executive got arrested in Canada or some such, and if I | remember right the discourse back then was that Huawei's 5G | equipment was both cheaper and better compared to what the | Western companies were able to provide at the time. | UberFly wrote: | Not saying there isn't lobbying efforts underway, but trying to | limit Chinese-based video and audio equipment that's | unaccountable to US laws or oversite from government locations | seems like a reasonable thing to do. Dahua and Hikvision have a | long history of backdoors. Many of these things chat like crazy | to servers in China if not firewalled properly. | formerly_proven wrote: | I'm not sure how to tell you this but if your CCTV cameras | can get to the internet you've done so many things so | completely wrong that you just ought to stop doing whatever | it is you're doing. | | Though the argument is more fair in relation to their DVR/VMS | products, but it's difficult to see a reason to use those as | better alternatives running on your own hardware exist. | | As a gov't installation your worries are different of course. | I'd worry about, say, a specialized firmware finding its way | to me, which can be commanded to disrupt surveillance in | response to QR codes or other visual or auditory signals. | yourapostasy wrote: | _> "government owned" also gets condescendingly asserted as if | the reader isnt familiar with how a planned economy under post | soviet marxist theory works._ | | Most readers of the article can be fairly assumed to know this. | Most consumers (including b2b) outside of various tech and | policy circles cannot, and the policy is aimed at short | circuiting the banned functionally SOE's from embedding | themselves into the communications infrastructure. Gathering | intelligence from automotive and aerospace dominance yields | substantially less actionable information than from dominance | of communications infrastructure. | | The subsidies you are comparing are fundamentally, | qualitatively different. | | It isn't just the FCC. The entire US government at all levels | down to local is captured by corporate business interests. | Doesn't mean every policy decision solely caters to those | interests and ignore national defense interests. Also doesn't | mean the US intelligence apparatus isn't in bed with Western | communications technology manufacturers. | roperj wrote: | This might make some sense if you knew what the hell you were | talking about, but Hikvision and Dahua are not at all in the | same market segments as Nest and Ring - and this does not apply | to the consumer market. | phpisthebest wrote: | >lobbyists at ring, nest, and amazon getting an early christmas | gift | | This has no impact on sales to the consumer market for Video, | the covered list [1] limits the ban to "the extent it is used | for the purpose of public safety, security of government | facilities" | | Ring, Nest etc are used for personal home and small business | not likely covered under that ban, and the people buying | Hikvision as an example most likely are not the target consumer | of Ring devices. Hikvision is / was popular is commercial | segment of professionally installed products, I know of zero | professional installers doing commercial deployments of Ring. | Companies like Axis however do get a boost as Axis is often | many times more expensive than Hikvision | | [1]https://www.fcc.gov/supplychain/coveredlist | cscurmudgeon wrote: | > the video surveillance bans all seem to target billion dollar | companies, so its safe to say this is just your friendly | lobbyists at ring, nest, and amazon getting an early christmas | gift | | How does that logically follow? Can billion dollar companies | not be security threats? | | > the usual suspect, huawei, has been on americas shitlist ever | since they beat US telcos to market with 5g. their cellphones | all meet or exceed the build quality of a samsung or iphone and | to date america has failed to produce any real evidence of a | security issue except 'china scary.' | | No one and not even Huawei believes that. | | By your logic, you admit China has banned all these US websites | as they are afraid of competition and not any other reason? | | https://en.wikipedia.org/wiki/List_of_websites_blocked_in_ma... | largehotcoffee wrote: | Good. https://www.wsj.com/articles/huawei-technicians-helped- | afric... | [deleted] | emodendroket wrote: | Which telco doesn't comply with requests from the government of | the country they operate in? | myself248 wrote: | About time. We need open and verifiable firmware, at the very | least, to be able to trust anything. | | Now if only they'd turn this lens on American-made devices which | are likewise opaque, insecure, and likely to be weaponized | against us as soon as security updates stop.... | comboy wrote: | > We need open and verifiable firmware, at the very least, to | be able to trust anything. | | How? Even ignoring ASICs, I just don't see how it's possible. | Even if you had no binary blobs anywhere (we are already in the | wonderland), with process for turning source to binary, you | need to trust compiler, cpu, flashing hardware and software and | the whole lot of other things. | | And that's all ignoring the fact that hiding bad stuff in open | source is many orders of magnitude cheaper than finding it. | | I don't think we have even a theoretical plan for fixing | computer security, it just becomes ML bots arena. | lrvick wrote: | You need deterministic builds of firmware artifacts proven to | correspond to source code by multiple parties. You also need | hardware purpose made to be user auditable. | | See: https://media.ccc.de/v/36c3-10690-open_source_is_insuffi | cien... | nonrandomstring wrote: | > I don't think we have even a theoretical plan for fixing | computer security. | | I think we do, but the implications of it are terrifying, | overwhelming and just make people shrug and say "That'll | never happen". | | How I see it there are two sides. | | Those who want a functioning technological society with all | the benefits we believe in as hackers - transport, medicine, | communications, planning... For that we'll have no choice but | to make computers secure. | | That side is "society". | | In the other corner are those who do not want computers to be | secure (despite what they say). They benefit from insecurity. | These are; - Criminals. - | Governments. - Industry. | | They are not aligned and fight amongst themselves. Only the | criminals are honest in that they don't pretend to want | secure computing. Governments and industry want secure | computing for themselves, but not for the others, or for | society. | | For secure computing to ever happen three well organised, | well funded and determined groups would have to lose against | a disorganised, distributed, and poor remainder. | | There are two things on our side to give us hope; | | - That the enemy of my enemy is a temporary friend. | | - Mathematics. | AnthonyMouse wrote: | > with process for turning source to binary, you need to | trust compiler, cpu, flashing hardware and software and the | whole lot of other things. | | "We should not solve this solvable problem because other | problems exist" is false. | | Meanwhile the other problems have solutions, like | reproducible builds, so that the attacker not only has to | compromise your compiler/CPU/hardware, they also have to | compromise any others the output result gets compared by, or | one of them will differ and the attack will be detected. | TEP_Kim_Il_Sung wrote: | That's not how this will be applied. Instead, I think, they | will go after devices that don't contain government backdoors. | ouEight12 wrote: | > don't contain <the correct> government backdoors. | | Fixed that for you. :/ | 2OEH8eoCRo0 wrote: | Which devices have government backdoors? | jbverschoor wrote: | Cisco iirc | 2OEH8eoCRo0 wrote: | Source? | sschueller wrote: | See CVE: https://www.cvedetails.com/vulnerability- | list.php?vendor_id=... | | At some point you have to think these are deliberate. | TedDoesntTalk wrote: | Like the deliberate ones from TP-Link? | 2OEH8eoCRo0 wrote: | Extraordinary claims require extraordinary evidence. All | I see are a lot of CVEs. | fbdab103 wrote: | If not intentional, it at least points to a culture that | cannot be trusted with producing secure devices. | freshpots wrote: | Does it though? Are you a SWE? | fbdab103 wrote: | Given the number of times that a hard-coded password has | been distributed on Cisco gear, yeah, I think it points | to a cultural failure. | croes wrote: | https://www.tomshardware.com/news/cisco-backdoor- | hardcoded-a... | notrealyme123 wrote: | Sounds like it: https://tools.cisco.com/security/center/c | ontent/CiscoSecurit... | glitchc wrote: | Almost all of them? | _jal wrote: | Aside from Cisco, Juniper has not exactly been forthcoming | about backdoors: | | https://www.wired.com/2016/01/new-discovery-around- | juniper-b... | | If my job were to ensure backdoor access to everything I | could, at least to get started I'd sort a list of hardware | vendors by marketshare. | [deleted] | woodruffw wrote: | Based on the actual news release[1], this is the FCC's formal | statement of rules for compliance with the Secure Equipment Act | of 2021[2]. | | [1]: https://docs.fcc.gov/public/attachments/DOC-389524A1.pdf | | [2]: https://www.congress.gov/bill/117th-congress/house-bill/3919 | kryogen1c wrote: | Thanks for connecting the dots, I was doing this research | before I found your comment. I knew I had searched for covered | telecom equipment last year. | | Also, I didn't know the covered list was being updated. Does | anyone know what AO Kaspersky is? Is that the official | corporate name for the anti-virus Kaspersky? | woodruffw wrote: | Yeah, I believe it's their corporate name. Their website | lists their copyright as "AO Kaspersky Lab." | [deleted] | libpcap wrote: | About time! | [deleted] | threatofrain wrote: | https://news.ycombinator.com/item?id=33753442 ___________________________________________________________________ (page generated 2022-11-26 23:00 UTC)