The British Drone Law Reaches Parliament

We’ve brought you a variety of stories over the years covering the interface between multirotor fliers and the law, and looked at the credibility gap between some official incident reports and the capabilities of real drones. In the news this week is a proposed new law in front of the British House of Commons that would bring in a licensing scheme for machines weighing over 250 g, as well as new powers to seize drones. We’ve previously told you about the consultation that led up to it, and its original announcement.

As a British voter with some interest in the matter, I decided to write to my Member of Parliament about it, and since my letter says what I would have written to cover the story anyway it stands below in lieu of the normal Hackaday article format. If you are a British multirotor flier this is an issue you need to be aware of, and if you have any concerns you should consider raising them with your MP as well. Continue reading “The British Drone Law Reaches Parliament”

Hack Space Debris At Your Peril

Who has dibs on space debris? If getting to it were a solved problem, it sure would be fun to use dead orbital hardware as something of a hacker’s junk bin. Turns out there is some precedent for this, and regulations already in place in the international community.

To get you into the right frame of mind: it’s once again 2100 AD and hackers are living in mile-long space habitats in the Earth-Moon system. But from where do those hackers get their raw material, their hardware? The system abounds with space debris, defunct satellites from a century of technological progress. According to Earth maritime law, if space is to be treated like international waters then the right of salvage would permit them to take parts from any derelict. But is space like international waters? Or would hacking space debris result in doing hard time in the ice mines of Ceres?

Continue reading “Hack Space Debris At Your Peril”

Ask Hackaday: SawStop — Bastion of Safety or Patent Troll

At first glance, SawStop seems like a hacker’s dream. A garage tinkerer comes up with a great idea, builds a product around it, and the world becomes a better place. As time has gone on, other companies have introduced similar products. Recently, SawStop successfully stopped Bosch from importing saws equipped with their Reaxx safety system into the USA. This not only impacts sales of new saws, but parts for existing equipment. Who gets screwed here? Unfortunately, it’s the owners of the Bosch saws, who now have a safety feature they might not be able to use in the future. This has earned some bad press for SawStop in forums and on websites like Reddit, where users have gone as far as to call SawStop a patent troll. Is that true or just Internet puffery? Read on and decide for yourself.

Continue reading “Ask Hackaday: SawStop — Bastion of Safety or Patent Troll”

California Looks to Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

Florida Man Hates Amateur Radio

Any amateur radio operator who is living under a homeowner’s association, covenant, or has any other deed restriction on their property has a problem: antennas are ugly, and most HOAs outright ban everything from 2-meter whips to unobtrusive J-pole antennas.

Earlier this year, the ARRL got behind a piece of legislation called the Amateur Radio Parity Act. This proposed law would amend FCC’s Part 97 rules for amateur stations and direct, ‘Community associations to… permit the installation and maintenance of effective outdoor Amateur Radio antennas.’ This bill passed the US House without objection last September.

Last week, the Amateur Radio Parity Act died in the US Senate. Sen. Bill Nelson (D-FL), the ranking member of the Senate committee on Commerce, Science, and Transportation, refused to move the bill forward in the Senate. The ARRL has been in near constant contact with Senator Nelson’s office, but time simply ran out before the end of the 114th Congress. The legislation will be reintroduced into the 115th Congress next year.

Amateur Radio Parity Act Passes US House

Most new houses are part of homeowners associations, covenants, or have other restrictions on the deed that dictate what color you can paint your house, the front door, or what type of mailbox is acceptable. For amateur radio operators, that means neighbors have the legal means to remove radio antennas, whether they’re unobtrusive 2 meter whips or gigantic moon bounce arrays. Antennas are ugly, HOAs claim, and drive down property values. Thousands of amateur radio operators have been silenced on the airwaves, simply because neighbors don’t like ugly antennas.

Now, this is about to change. The US House recently passed the Amateur Radio Parity Act (H.R. 1301) to amend the FCC’s Part 97 rules of amateur stations and private land-use restrictions.

The proposed amendment provides, ““Community associations should fairly administer private land-use regulations in the interest of their communities, while nevertheless permitting the installation and maintenance of effective outdoor Amateur Radio antennas.” This does not guarantee all antennas are allowed in communities governed by an HOA; the bill simply provides that antennas, ‘consistent with the aesthetic and physical characteristics of land and structures in community associations’ may be accommodated. While very few communities would allow a gigantic towers, C-band dishes, or 160 meters of coax strung up between trees, this bill will provide for small dipoles and inconspicuous antennae.

The full text of H.R. 1301 can be viewed on the ARRL site. The next step towards making this bill law is passage through the senate, and as always, visiting, calling, mailing, faxing, and emailing your senators (in that order) is the most effective way to make views heard.

Apple Aftermath: Senate Entertains A New Encryption Bill

If you recall, there was a recent standoff between Apple and the U. S. Government regarding unlocking an iPhone. Senators Richard Burr and Dianne Feinstein have a “discussion draft” of a bill that appears to require companies to allow the government to court order decryption.

Here at Hackaday, we aren’t lawyers, so maybe we aren’t the best source of legislative commentary. However, on the face of it, this seems a bit overreaching. The first part of the proposed bill is simple enough: any “covered entity” that receives a court order for information must provide it in intelligible form or provide the technical assistance necessary to get the information in intelligible form. The problem, of course, is what if you can’t? A covered entity, by the way, is anyone from a manufacturer, to a software developer, a communications service, or a provider of remote computing or storage.

There are dozens of services (backup comes to mind) where only you have the decryption keys and there is nothing reasonable the provider can do to get your data if you lose your keys. That’s actually a selling point for their service. You might not be anxious to backup your hard drive if you knew the vendor could browse your data when they wanted to do so.

The proposed bill has some other issues, too. One section states that nothing in the document is meant to require or prohibit a specific design or operating system. However, another clause requires that covered entities provide products and services that are capable of complying with the rule.

A broad reading of this is troubling. If this were law, entire systems that don’t allow the provider or vendor to decrypt your data could be illegal in the U. S. Whole classes of cybersecurity techniques could become illegal, too. For example, many cryptography systems use the property of forward secrecy by generating unrecorded session keys. For example, consider an SSH session. If someone learns your SSH key, they can listen in or interfere with your SSH sessions. However, they can’t take recordings of your previous sessions and decode them. The mechanism is a little different between SSHv1 (which you shouldn’t be using) and SSHv2. If you are interested in the gory details for SSHv2, have a look at section 9.3.7 of RFC 4251.

In all fairness, this isn’t a bill yet. It is a draft and given some of the definitions in section 4, perhaps they plan to expand it so that it makes more sense, or – at least – is more practical. If not, then it seems to be an indication that we need legislators that understand our increasingly technical world and have some understanding of how the new economy works. After all, we’ve seen this before, right? Many countries are all too happy to enact and enforce tight banking privacy laws to encourage deposits from people who want to hide their money. What makes you think that if the U. S. weakens the ability of domestic companies to make data private, that the business of concealing data won’t just move offshore, too?

If you were living under a rock and missed the whole Apple and FBI controversy, [Elliot] can catch you up. Or, you can see what [Brian] thought about Apple’s response to the FBI’s demand.