Ask Hackaday: SawStop — Bastion of Safety or Patent Troll

At first glance, SawStop seems like a hacker’s dream. A garage tinkerer comes up with a great idea, builds a product around it, and the world becomes a better place. As time has gone on, other companies have introduced similar products. Recently, SawStop successfully stopped Bosch from importing saws equipped with their Reaxx safety system into the USA. This not only impacts sales of new saws, but parts for existing equipment. Who gets screwed here? Unfortunately, it’s the owners of the Bosch saws, who now have a safety feature they might not be able to use in the future. This has earned some bad press for SawStop in forums and on websites like Reddit, where users have gone as far as to call SawStop a patent troll. Is that true or just Internet puffery? Read on and decide for yourself.

Continue reading “Ask Hackaday: SawStop — Bastion of Safety or Patent Troll”

California Looks to Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

Florida Man Hates Amateur Radio

Any amateur radio operator who is living under a homeowner’s association, covenant, or has any other deed restriction on their property has a problem: antennas are ugly, and most HOAs outright ban everything from 2-meter whips to unobtrusive J-pole antennas.

Earlier this year, the ARRL got behind a piece of legislation called the Amateur Radio Parity Act. This proposed law would amend FCC’s Part 97 rules for amateur stations and direct, ‘Community associations to… permit the installation and maintenance of effective outdoor Amateur Radio antennas.’ This bill passed the US House without objection last September.

Last week, the Amateur Radio Parity Act died in the US Senate. Sen. Bill Nelson (D-FL), the ranking member of the Senate committee on Commerce, Science, and Transportation, refused to move the bill forward in the Senate. The ARRL has been in near constant contact with Senator Nelson’s office, but time simply ran out before the end of the 114th Congress. The legislation will be reintroduced into the 115th Congress next year.

Amateur Radio Parity Act Passes US House

Most new houses are part of homeowners associations, covenants, or have other restrictions on the deed that dictate what color you can paint your house, the front door, or what type of mailbox is acceptable. For amateur radio operators, that means neighbors have the legal means to remove radio antennas, whether they’re unobtrusive 2 meter whips or gigantic moon bounce arrays. Antennas are ugly, HOAs claim, and drive down property values. Thousands of amateur radio operators have been silenced on the airwaves, simply because neighbors don’t like ugly antennas.

Now, this is about to change. The US House recently passed the Amateur Radio Parity Act (H.R. 1301) to amend the FCC’s Part 97 rules of amateur stations and private land-use restrictions.

The proposed amendment provides, ““Community associations should fairly administer private land-use regulations in the interest of their communities, while nevertheless permitting the installation and maintenance of effective outdoor Amateur Radio antennas.” This does not guarantee all antennas are allowed in communities governed by an HOA; the bill simply provides that antennas, ‘consistent with the aesthetic and physical characteristics of land and structures in community associations’ may be accommodated. While very few communities would allow a gigantic towers, C-band dishes, or 160 meters of coax strung up between trees, this bill will provide for small dipoles and inconspicuous antennae.

The full text of H.R. 1301 can be viewed on the ARRL site. The next step towards making this bill law is passage through the senate, and as always, visiting, calling, mailing, faxing, and emailing your senators (in that order) is the most effective way to make views heard.

Apple Aftermath: Senate Entertains A New Encryption Bill

If you recall, there was a recent standoff between Apple and the U. S. Government regarding unlocking an iPhone. Senators Richard Burr and Dianne Feinstein have a “discussion draft” of a bill that appears to require companies to allow the government to court order decryption.

Here at Hackaday, we aren’t lawyers, so maybe we aren’t the best source of legislative commentary. However, on the face of it, this seems a bit overreaching. The first part of the proposed bill is simple enough: any “covered entity” that receives a court order for information must provide it in intelligible form or provide the technical assistance necessary to get the information in intelligible form. The problem, of course, is what if you can’t? A covered entity, by the way, is anyone from a manufacturer, to a software developer, a communications service, or a provider of remote computing or storage.

There are dozens of services (backup comes to mind) where only you have the decryption keys and there is nothing reasonable the provider can do to get your data if you lose your keys. That’s actually a selling point for their service. You might not be anxious to backup your hard drive if you knew the vendor could browse your data when they wanted to do so.

The proposed bill has some other issues, too. One section states that nothing in the document is meant to require or prohibit a specific design or operating system. However, another clause requires that covered entities provide products and services that are capable of complying with the rule.

A broad reading of this is troubling. If this were law, entire systems that don’t allow the provider or vendor to decrypt your data could be illegal in the U. S. Whole classes of cybersecurity techniques could become illegal, too. For example, many cryptography systems use the property of forward secrecy by generating unrecorded session keys. For example, consider an SSH session. If someone learns your SSH key, they can listen in or interfere with your SSH sessions. However, they can’t take recordings of your previous sessions and decode them. The mechanism is a little different between SSHv1 (which you shouldn’t be using) and SSHv2. If you are interested in the gory details for SSHv2, have a look at section 9.3.7 of RFC 4251.

In all fairness, this isn’t a bill yet. It is a draft and given some of the definitions in section 4, perhaps they plan to expand it so that it makes more sense, or – at least – is more practical. If not, then it seems to be an indication that we need legislators that understand our increasingly technical world and have some understanding of how the new economy works. After all, we’ve seen this before, right? Many countries are all too happy to enact and enforce tight banking privacy laws to encourage deposits from people who want to hide their money. What makes you think that if the U. S. weakens the ability of domestic companies to make data private, that the business of concealing data won’t just move offshore, too?

If you were living under a rock and missed the whole Apple and FBI controversy, [Elliot] can catch you up. Or, you can see what [Brian] thought about Apple’s response to the FBI’s demand.

Italian Law Changed by the Hackaday Prize

A recent change in Italian law was spurred by the Hackaday Prize. The old law restricted non-Italian companies from hosting contests in the country. With the update Italian citizens are now welcome to compete for the 2015 Hackaday Prize which will award $500,000 in prizes.

We’ve heard very few complaints about the Hackaday Prize. When we do, it’s almost always because there are some countries excluded from participation. We’ve tried very hard to include as much of the globe as possible, some countries simply must be excluded due to local laws regarding contests. The folks from Make in Italy saw last year’s offer of a Trip into Space or $196,418 and set out to get the local laws changed (translated). Happily they succeeded!

The Make in Italy Foundation was started to encourage and support FabLabs in Italy. After seeing two major Hacker and Maker oriented contests — The 2014 Hackaday Prize and the Intel Make it Wearable contest — exclude Italian citizens from entering. Their two prong approach sought out legal counsel and started a petition on signed by about 1.8k supporters.

We’ve been holding off on the announcement as we needed our own legal opinion on the change (we’re not great at understanding Italian legal PDFs without some help). But today we have removed Italy from the list of excluded countries. Submit your entry today just by writing down your idea of a build which will solve a problem faced by a large number of people. Build something that matters and you could win a Trip into Space, $100,000 for the ‘Best Product’, or hundreds of other prizes. But we’re not waiting until the end, over the next 17 weeks we’ll be giving out $50k in prizes to hundreds of entries.

[Thanks Alessandro]

The 2015 Hackaday Prize is sponsored by:

Do your projects violate International Traffic in Arms Regulations?

From time to time we consider the ramifications of hacking prowess being used for evil purposes. Knowledge is a powerful thing, but alone it is not a dangerous thing. Malicious intent is what takes a clever project and turns it to a tragic end. Conscientious hackers realize this, and [George Hadley] is one of them. While working on a new project he wondered if there were guidelines as to what knowledge should and should not be shared. It turns out that the United States has a set of International Traffic in Arms Regulations that mention concepts we’ve seen in many projects. He wrote up an article which covers the major points of the ITAR.

The gist of it is that sharing certain knowledge, by posting it on the Internet or otherwise, can be considered arms trafficking. It’ll get you a not-so-friendly visit from government officials and quite possibly a sponsored stay in a secure facility. Information about DIY radar, communications jamming, spying devices, UAVs, and a few other concepts are prohibited from being shared. The one qualifying part of that restriction is that it only applies if the information is not publicly known.